From 99c57215ea9a0636c63509f014e58dffc77229a0 Mon Sep 17 00:00:00 2001
From: EzLucky <EzLucky@users.noreply.github.com>
Date: Tue, 28 Jan 2025 11:15:08 +0100
Subject: [PATCH] 32 bit ABI

---
 audit.rules | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/audit.rules b/audit.rules
index f71bf7c..726533f 100644
--- a/audit.rules
+++ b/audit.rules
@@ -806,12 +806,13 @@
 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
 
-## 32bit API Exploitation
+## 32bit ABI Exploitation
+### https://github.com/linux-audit/audit-userspace/blob/c014eec64b3a16c004f4a75e5792a4ac2fcc0df2/rules/21-no32bit.rules
 ### If you are on a 64 bit platform, everything _should_ be running
 ### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
 ### because this might be a sign of someone exploiting a hole in the 32
-### bit API.
--a always,exit -F arch=b32 -S all -k 32bit_api
+### bit ABI.
+-a always,exit -F arch=b32 -S all -k 32bit_abi
 
 # Make The Configuration Immutable --------------------------------------------