Description of problem: The ausyscall --dump tool is very valuable when setting up audit.rules files. Infact, it is very important to help with specific security policies. It would be very nice if the ausyscall --dump command also listed out a discription of each syscall along with the already given name and syscall number. This would be very very very helpful. Most security engineers are not that tuned in to a system call, so this would be very helpful. Red Hat is already the most secure main stream OS in the world, and this would just make it that much better. Thank you. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
BTW, au-remote is fantastic for Centralized Logging. I have it running in a couple of big sites, all it needs is a nice GUI for the aureport and ausearch commands... It would also be nice to have the aureport and ausearch commands be able to go into a zipped audit file by a switch. Currently I am rotating logs on a daily basis and zipping them up for compliance. Thanks for all the good audit work.
Adding descriptions of all syscalls would not be a small task. From inside the lib directory of the source code tarball, I ran this: cat *_table.h | grep '^_S' | awk '{ print $2 }' | tr '")' ' ' | sort | uniq | wc -l It says there are 505 syscalls to document. While this is an interesting idea, I think this is just not feasible right now. As for gzip support, that is something that is on the TODO list and could see its way into a future release. In the meantime, you can do zcat audit.log.1.zip | ausearch --start today ...
Closing this request. Unfortunately, its just not feasible to do it.