Hello Steve,
I've somehow completely missed the "-F perm=wa" possibility. Thanks very
much for the heads up!
This eases up quite a bit, especially readability, as my translation
table so far has been, without any warranty for complete- or correctness
at all:
r:
"readlink,quotactl,listxattr,listxattrat,llistxattr,flistxattr,getxattr,getxattrat,lgetxattr,fgetxattr,readlinkat,open,openat,openat2"
w:
"rename,mkdir,rmdir,creat,link,unlink,symlink,mknod,mkdirat,mknodat,unlinkat,renameat,linkat,symlinkat,renameat2,acct,swapon,quotactl,truncate,ftruncate,bind,fallocate,open,openat,openat2"
x:
"execve"
a:
"chmod,fchmod,chown,lchown,fchown,setxattr,setxattrat,lsetxattr,fsetxattr,removexattr,removexattrat,lremovexattr,fremovexattr,fchownat,fchmodat,link,linkat"
And I am not sure I am understanding all of those.
Ede
Am 07.07.25 um 16:44 schrieb Steven Grubb:
Hello,
To migrate, you don't need to know the syscalls. From the auditctl man page:
auditctl -w /etc/shadow -p wa # Note this slows the system
is the same as:
auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa
The main difference is you need to tell it the architecture. There is a
lookup table in the kernel where the permission is used to select the
syscalls. You should see some system performance improvements by migrating.
-Steve
On Tue, Jul 1, 2025 at 2:50 AM Ede Wolf <lis...@nebelschwaden.de
<mailto:lis...@nebelschwaden.de>> wrote:
Hi,
we would like to convert out old style syntax, like
-w /etc/crontab -p wa -l some_label
to the newstyle
-a exit,always. -S unlink...
Just wondering, is there a table, that translates the permission
(r,w,x,a) into their respective syscalls?
Thanks
Ede
_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
<mailto:linux-audit@lists.linux-audit.osci.io>
To unsubscribe send an email to linux-audit-leave@lists.linux-
audit.osci.io <mailto:linux-audit-le...@lists.linux-audit.osci.io>
_______________________________________________
Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io