Hello Steve,

I've somehow completely missed the "-F perm=wa" possibility. Thanks very much for the heads up!

This eases up quite a bit, especially readability, as my translation table so far has been, without any warranty for complete- or correctness at all:

r: "readlink,quotactl,listxattr,listxattrat,llistxattr,flistxattr,getxattr,getxattrat,lgetxattr,fgetxattr,readlinkat,open,openat,openat2"

w:
"rename,mkdir,rmdir,creat,link,unlink,symlink,mknod,mkdirat,mknodat,unlinkat,renameat,linkat,symlinkat,renameat2,acct,swapon,quotactl,truncate,ftruncate,bind,fallocate,open,openat,openat2"

x:
"execve"

a:
"chmod,fchmod,chown,lchown,fchown,setxattr,setxattrat,lsetxattr,fsetxattr,removexattr,removexattrat,lremovexattr,fremovexattr,fchownat,fchmodat,link,linkat"

And I am not sure I am understanding all of those.

Ede


Am 07.07.25 um 16:44 schrieb Steven Grubb:
Hello,

To migrate, you don't need to know the syscalls. From the auditctl man page:

        auditctl -w /etc/shadow -p wa # Note this slows the system

is the same as:

        auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa

The main difference is you need to tell it the architecture. There is a lookup table in the kernel where the permission is used to select the syscalls. You should see some system performance improvements by migrating.

-Steve

On Tue, Jul 1, 2025 at 2:50 AM Ede Wolf <lis...@nebelschwaden.de <mailto:lis...@nebelschwaden.de>> wrote:

    Hi,

    we would like to convert out old style syntax, like

    -w /etc/crontab -p wa -l some_label

    to the newstyle

    -a exit,always. -S unlink...

    Just wondering, is there a table, that translates the permission
    (r,w,x,a) into their respective syscalls?


    Thanks

    Ede
    _______________________________________________
    Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
    <mailto:linux-audit@lists.linux-audit.osci.io>
    To unsubscribe send an email to linux-audit-leave@lists.linux-
    audit.osci.io <mailto:linux-audit-le...@lists.linux-audit.osci.io>

_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io

Reply via email to