Bug 509570 - ausyscall --dump (asking to print a description of all syscalls).
ausyscall --dump (asking to print a description of all syscalls).
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Steve Grubb
Depends On:
  Show dependency treegraph
Reported: 2009-07-03 13:05 EDT by goat
Modified: 2009-08-31 09:34 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-08-31 09:34:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description goat 2009-07-03 13:05:27 EDT
Description of problem:

The ausyscall --dump tool is very valuable when setting up audit.rules files.  Infact, it is very important to help with specific security policies.

It would be very nice if the ausyscall --dump command also listed out a discription of each syscall along with the already given name and syscall number.  This would be very very very helpful.  Most security engineers are not that tuned in to a system call, so this would be very helpful.  Red Hat is already the most secure main stream OS in the world, and this would just make it that much better.  Thank you.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 goat 2009-07-03 13:09:51 EDT
BTW,  au-remote is fantastic for Centralized Logging.  I have it running in a couple of big sites, all it needs is a nice GUI for the aureport and ausearch commands... It would also be nice to have the aureport and ausearch commands be able to go into a zipped audit file by a switch.  Currently I am rotating logs on a daily basis and zipping them up for compliance.

 Thanks for all the good audit work.
Comment 2 Steve Grubb 2009-07-06 13:23:25 EDT
Adding descriptions of all syscalls would not be a small task. From inside the lib directory of the source code tarball, I ran this:

cat *_table.h | grep '^_S' | awk '{ print $2 }' | tr '")' ' ' | sort | uniq | wc -l

It says there are 505 syscalls to document. While this is an interesting idea, I think this is just not feasible right now.

As for gzip support, that is something that is on the TODO list and could see its way into a future release. In the meantime, you can do 

zcat audit.log.1.zip | ausearch --start today ...
Comment 3 Steve Grubb 2009-08-31 09:34:52 EDT
Closing this request. Unfortunately, its just not feasible to do it.

Note You need to log in before you can comment on or make changes to this bug.