The ausyscall is a command line tool used to map system call names to their corresponding numbers and vice versa for the given architecture. It is especially useful when analyzing audit logs that reference system calls by number.
Install ausyscall
Run the following command to update package lists:
sudo apt updateThe ausyscall tool is part of the auditd package, which provides user-space utilities for the Linux Audit subsystem. Install using this command:
sudo apt install -y auditdTesting ausyscall
We can use ausyscall to list all syscall numbers and names for the current architecture as follows:
ausyscall --dumpExample output:
Using x86_64 syscall table:
0 read
1 write
2 open
3 close
4 stat
5 fstat
6 lstatTo view syscall tables for different architectures, specify the architecture explicitly:
ausyscall arm --dumpausyscall aarch64 --dumpausyscall riscv32 --dumpausyscall riscv64 --dumpausyscall s390x --dumpWe can also look up a syscall by its number:
ausyscall 6Output: lstat
Or look up a syscall by number for a specific architecture:
ausyscall arm 6Output: close
Uninstall ausyscall
If you decided to completely remove ausyscall and related dependencies, use the following command:
sudo apt purge --autoremove -y auditd
Leave a Comment
Cancel reply