LinuxCommandLibrary

ausyscall

Translate syscall number to name

TLDR

Display syscall number of a specific system call

$ ausyscall [search_pattern]
copy

Display name of a specific system call number
$ ausyscall [system_call_number]
copy

Display all system calls for a specific architecture
$ ausyscall [architecture] --dump
copy

SYNOPSIS

ausyscall [-h|-V] [-l [-g group]] [-m message] [-a list|append|delete] [-s syscall]

PARAMETERS

-h, --help
    Display help message and exit

-V, --version
    Print version information

-l, --list
    List all syscall names (with -g, list in specific group)

-g group, --group=group
    Specify syscall group (e.g., file, net, ipc)

-m message, --message=message
    Set descriptive message for syscall (requires -s)

-a action, --add-action=action
    list|append|delete actions for syscall (requires -s)

-s syscall, --syscall=syscall
    Syscall name or number

DESCRIPTION

ausyscall is a command-line utility from the Linux Audit system (part of the audit package) used to display, query, and manage system calls available for auditing. It interacts with the kernel's audit subsystem via netlink sockets to list all syscall names/numbers, filter by groups (e.g., file, ipc), set descriptive messages for specific syscalls, and add, append, or delete audit actions associated with them.

Primarily used by system administrators to configure fine-grained auditing rules before applying them with tools like auditctl. For example, listing syscalls helps identify numbers for rules, while setting messages aids in log readability. It requires root privileges for modifications and works alongside the auditd daemon.

The tool maintains an internal syscall table mapping names to numbers and groups, ensuring consistency across architectures. It's essential for security auditing, compliance (e.g., PCI-DSS), and troubleshooting kernel events.

CAVEATS

Requires root privileges for modifications; listing works unprivileged. Dependent on kernel audit support (CONFIG_AUDIT). Incompatible with some containerized environments lacking full kernel access.

COMMON USAGE

ausyscall -l lists all syscalls.
ausyscall -l -g file lists file-related syscalls.
ausyscall -m 'open file' -s openat sets message.

HISTORY

Developed by Steve Grubb (Red Hat) as part of Linux Audit framework circa 2005, integrated with SELinux for mandatory access control auditing. Evolved with kernel audit_netlink interface; current in audit 3.x packages.

SEE ALSO

auditctl(8), auditd(8), aureport(8), ausearch(8)

Copied to clipboard