audit_syscall_to_name - Linux
Overview
audit_syscall_to_name
converts a syscall number into its corresponding syscall name. This command is typically used in conjunction with auditd to provide more human-readable information about system calls made by processes.
Syntax
audit_syscall_to_name [syscall_number] [syscall_name]
Options/Flags
- -h, –help: Print usage information and exit.
- -v, –version: Print version information and exit.
- -r, –reverse: Translate syscall names to their corresponding numbers.
Examples
Example 1: Convert a syscall number to a name
Convert syscall number 2 to its corresponding name:
$ audit_syscall_to_name 2
openat
Example 2: Convert a syscall name to a number
Convert syscall name "openat" to its corresponding number:
$ audit_syscall_to_name -r openat
2
Common Issues
Issue: audit_syscall_to_name
does not recognize the provided syscall number or name.
Solution: Ensure that the syscall number or name is valid. Refer to the auditd man page or documentation for a list of valid syscalls.
Integration
audit_syscall_to_name
can be used with auditd to create rules that monitor specific system calls. For example, the following rule monitors all calls to the open
syscall:
-a exit,always -F auid>=1000 -S open