audit_name_to_flag - Linux
Overview
audit_name_to_flag
translates audit event types to a specific flag value. It can be used to convert kernel audit event types to a flag value that can be used by the syscall integrity verification mechanism provided by the Linux kernel.
Syntax
audit_name_to_flag [OPTIONS] <command>
Options/Flags
-h, --help display this help and exit
-v, --version output version information and exit
Examples
Translate the kernel audit event type CWD
to a flag value:
# audit_name_to_flag CWD
0x1004
Translate the kernel audit event type EXECVE
to a flag value:
# audit_name_to_flag EXECVE
0x4000
Common Issues
Incorrect kernel audit event type:
If the specified kernel audit event type is not valid, audit_name_to_flag
will display an error message and exit.
Integration
The output of audit_name_to_flag
can be used with the sysdig
tool to verify the integrity of system calls. For example:
sysdig -p "event.type == 'syscalls:sys_execve' && event.si_syscall.syscall_flags == 0x4000"