audit_name_to_flag - Linux

Overview

audit_name_to_flag translates audit event types to a specific flag value. It can be used to convert kernel audit event types to a flag value that can be used by the syscall integrity verification mechanism provided by the Linux kernel.

Syntax

audit_name_to_flag [OPTIONS] <command>

Options/Flags

-h, --help                display this help and exit
-v, --version             output version information and exit

Examples

Translate the kernel audit event type CWD to a flag value:

# audit_name_to_flag CWD
0x1004

Translate the kernel audit event type EXECVE to a flag value:

# audit_name_to_flag EXECVE
0x4000

Common Issues

Incorrect kernel audit event type:
If the specified kernel audit event type is not valid, audit_name_to_flag will display an error message and exit.

Integration

The output of audit_name_to_flag can be used with the sysdig tool to verify the integrity of system calls. For example:

sysdig -p "event.type == 'syscalls:sys_execve' && event.si_syscall.syscall_flags == 0x4000"

Related Commands

• auditctl
• auditd