audit_syscall_to_name - Linux

Overview

audit_syscall_to_name converts a syscall number into its corresponding syscall name. This command is typically used in conjunction with auditd to provide more human-readable information about system calls made by processes.

Syntax

audit_syscall_to_name [syscall_number] [syscall_name]

Options/Flags

• -h, –help: Print usage information and exit.
• -v, –version: Print version information and exit.
• -r, –reverse: Translate syscall names to their corresponding numbers.

Examples

Example 1: Convert a syscall number to a name

Convert syscall number 2 to its corresponding name:

$ audit_syscall_to_name 2
openat

Example 2: Convert a syscall name to a number

Convert syscall name "openat" to its corresponding number:

$ audit_syscall_to_name -r openat
2

Common Issues

Issue: audit_syscall_to_name does not recognize the provided syscall number or name.

Solution: Ensure that the syscall number or name is valid. Refer to the auditd man page or documentation for a list of valid syscalls.

Integration

audit_syscall_to_name can be used with auditd to create rules that monitor specific system calls. For example, the following rule monitors all calls to the open syscall:

-a exit,always -F auid>=1000 -S open

Related Commands

• auditd
• ausearch
• ausearch -i