From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Assorted questions
Date: Fri, 10 Aug 2007 10:35:23 -0400
Message-ID: <200708101035.23785.sgrubb@redhat.com>
References: <1186670046.6810.9.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1186670046.6810.9.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 09 August 2007 10:34:06 Matthew Booth wrote:
> Questions relate to RHEL4 (unless they don't).
>
> How can I programmatically translate an architecture into human, eg
> 40000003 =3D> 'i686'?

>>From ausearch source code, ausearch-report.c:

static void print_arch(const char *val)
{
        unsigned int ival;
        const char *ptr;

        errno =3D 0;
        ival =3D strtoul(val, NULL, 16);
        if (errno) {
                printf("conversion error(%s) ", val);
                return;
        }
        machine =3D audit_elf_to_machine(ival);
        if (machine < 0) {
                printf("unknown elf type(%s) ", val);
                return;
        }
        ptr =3D audit_machine_to_name(machine);
        printf("%s ", ptr);
}


> Is there a way of doing a syscall name lookup without having root?

You do not have to have root to call either of these functions:

extern int audit_name_to_syscall(const char *sc, int machine);
extern const char *audit_syscall_to_name(int sc, int machine);


> In RHEL5, what's the equivalent of 'auditctl -t'?

auditctl -t does not exist anymore.

-Steve