ausyscall

Display syscall number of a specific system call

$ ausyscall [search_pattern]

$ ausyscall [system_call_number]

$ ausyscall [architecture] --dump

ausyscall [options] [syscall_name_or_number]

-i syscall_number
    Interprets the argument as a system call number and displays its corresponding name.

-n syscall_name
    Interprets the argument as a system call name and displays its corresponding number.

-a architecture
    Specifies the CPU architecture for the lookup (e.g., x86_64, i386, aarch64). This option must precede -i or -n if used with a specific lookup.

-P
    Prints all system calls for the current architecture, including their names and numbers. This is the default behavior if no other arguments are provided.

-h
    Displays a short help message and exits.

ausyscall is a utility from the audit-userspace tools that provides a convenient way to query and translate system call names to their corresponding numbers, and vice-versa.

It's particularly useful when analyzing audit logs, which often record syscall numbers, or when constructing audit rules that need to filter by specific syscalls. The tool is architecture-aware, meaning it uses the correct syscall mappings for the current system's CPU architecture. It can list all known syscalls, or perform specific lookups by name or number. This helps users understand system activity at a low level without needing to consult kernel source code or architecture-specific tables.

ausyscall relies on architecture-specific system call mappings. The numbers for the same system call can vary significantly between different CPU architectures (e.g., x86_64 vs. i386 vs. aarch64). Users must ensure they are performing lookups for the correct architecture, especially when analyzing logs from heterogeneous systems.

While rare for existing calls, new system calls might be added or existing ones might have their numbers changed across major kernel versions. The utility requires the audit-userspace package to be installed, as it's not a core Linux utility.

When defining audit rules using auditctl, system call numbers are often preferred over names for performance and consistency across different locales. ausyscall is an invaluable tool for quickly finding the correct syscall number for a specific action (e.g., open, execve) to include in an auditctl rule, ensuring that audit events are accurately captured.

The tool uses internal data structures, typically populated from files located in /usr/share/audit/syscalls/, to map syscall names to numbers. These tables are meticulously maintained for various CPU architectures, ensuring that the tool provides the correct translation for the current system's architecture or any specified architecture.

ausyscall is an integral part of the Linux Audit Framework, developed to provide a robust security auditing solution for the Linux kernel. It emerged as a necessary utility for system administrators and security analysts to bridge the gap between low-level kernel events (represented by syscall numbers in audit logs) and human-readable names. Its functionality has remained consistently focused on providing accurate, architecture-specific mappings, serving as a vital component for understanding and configuring audit rules.

auditctl(8), ausearch(8), autrace(8), strace(1), syscalls(2)