auparse

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 28, 2018 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package auparse is a pure Go audit log parsing library. It can parse and enrich audit messages from the Linux kernel.

Each message is composed of multiple fields that are reported as key=value. Any data that does not have an equal sign is superfluous and is ignored.

Index

Examples

Constants

This section is empty.

Variables

View Source
var AuditArchNames = map[AuditArch]string{
	AUDIT_ARCH_AARCH64:     "aarch64",
	AUDIT_ARCH_ARM:         "arm",
	AUDIT_ARCH_ARMEB:       "armeb",
	AUDIT_ARCH_CRIS:        "cris",
	AUDIT_ARCH_FRV:         "frv",
	AUDIT_ARCH_I386:        "i386",
	AUDIT_ARCH_IA64:        "ia64",
	AUDIT_ARCH_M32R:        "m32r",
	AUDIT_ARCH_M68K:        "m68k",
	AUDIT_ARCH_MIPS:        "mips",
	AUDIT_ARCH_MIPS64:      "mips64",
	AUDIT_ARCH_MIPS64N32:   "mips64n32",
	AUDIT_ARCH_MIPSEL:      "mipsel",
	AUDIT_ARCH_MIPSEL64:    "mipsel64",
	AUDIT_ARCH_MIPSEL64N32: "mipsel64n32",
	AUDIT_ARCH_PARISC:      "parisc",
	AUDIT_ARCH_PARISC64:    "parisc64",
	AUDIT_ARCH_PPC:         "ppc",
	AUDIT_ARCH_PPC64:       "ppc64",
	AUDIT_ARCH_PPC64LE:     "ppc64le",
	AUDIT_ARCH_S390:        "s390",
	AUDIT_ARCH_S390X:       "s390x",
	AUDIT_ARCH_SH:          "sh",
	AUDIT_ARCH_SH64:        "sh64",
	AUDIT_ARCH_SHEL:        "shel",
	AUDIT_ARCH_SHEL64:      "shel64",
	AUDIT_ARCH_SPARC:       "sparc",
	AUDIT_ARCH_SPARC64:     "sparc64",
	AUDIT_ARCH_X86_64:      "x86_64",
}
View Source
var AuditErrnoToName = map[int]string{}/* 131 elements not displayed */
View Source
var AuditErrnoToNum = map[string]int{}/* 133 elements not displayed */
View Source
var AuditSyscalls = map[string]map[int]string{
	"aarch64": {
		0:   "io_setup",
		1:   "io_destroy",
		2:   "io_submit",
		3:   "io_cancel",
		4:   "io_getevents",
		5:   "setxattr",
		6:   "lsetxattr",
		7:   "fsetxattr",
		8:   "getxattr",
		9:   "lgetxattr",
		10:  "fgetxattr",
		11:  "listxattr",
		12:  "llistxattr",
		13:  "flistxattr",
		14:  "removexattr",
		15:  "lremovexattr",
		16:  "fremovexattr",
		17:  "getcwd",
		18:  "lookup_dcookie",
		19:  "eventfd2",
		20:  "epoll_create1",
		21:  "epoll_ctl",
		22:  "epoll_pwait",
		23:  "dup",
		24:  "dup3",
		25:  "fcntl",
		26:  "inotify_init1",
		27:  "inotify_add_watch",
		28:  "inotify_rm_watch",
		29:  "ioctl",
		30:  "ioprio_set",
		31:  "ioprio_get",
		32:  "flock",
		33:  "mknodat",
		34:  "mkdirat",
		35:  "unlinkat",
		36:  "symlinkat",
		37:  "linkat",
		38:  "renameat",
		39:  "umount2",
		40:  "mount",
		41:  "pivot_root",
		42:  "nfsservctl",
		43:  "statfs",
		44:  "fstatfs",
		45:  "truncate",
		46:  "ftruncate",
		47:  "fallocate",
		48:  "faccessat",
		49:  "chdir",
		50:  "fchdir",
		51:  "chroot",
		52:  "fchmod",
		53:  "fchmodat",
		54:  "fchownat",
		55:  "fchown",
		56:  "openat",
		57:  "close",
		58:  "vhangup",
		59:  "pipe2",
		60:  "quotactl",
		61:  "getdents",
		62:  "lseek",
		63:  "read",
		64:  "write",
		65:  "readv",
		66:  "writev",
		67:  "pread",
		68:  "pwrite",
		69:  "preadv",
		70:  "pwritev",
		71:  "sendfile",
		72:  "pselect6",
		73:  "ppoll",
		74:  "signalfd4",
		75:  "vmsplice",
		76:  "splice",
		77:  "tee",
		78:  "readlinkat",
		79:  "newfstatat",
		80:  "newfstat",
		81:  "sync",
		82:  "fsync",
		83:  "fdatasync",
		84:  "sync_file_range",
		85:  "timerfd_create",
		86:  "timerfd_settime",
		87:  "timerfd_gettime",
		88:  "utimensat",
		89:  "acct",
		90:  "capget",
		91:  "capset",
		92:  "personality",
		93:  "exit",
		94:  "exit_group",
		95:  "waitid",
		96:  "set_tid_address",
		97:  "unshare",
		98:  "futex",
		99:  "set_robust_list",
		100: "get_robust_list",
		101: "nanosleep",
		102: "getitimer",
		103: "setitimer",
		104: "kexec_load",
		105: "init_module",
		106: "delete_module",
		107: "timer_create",
		108: "timer_gettime",
		109: "timer_getoverrun",
		110: "timer_settime",
		111: "timer_delete",
		112: "clock_settime",
		113: "clock_gettime",
		114: "clock_getres",
		115: "clock_nanosleep",
		116: "syslog",
		117: "ptrace",
		118: "sched_setparam",
		119: "sched_setscheduler",
		120: "sched_getscheduler",
		121: "sched_getparam",
		122: "sched_setaffinity",
		123: "sched_getaffinity",
		124: "sched_yield",
		125: "sched_get_priority_max",
		126: "sched_get_priority_min",
		127: "sched_rr_get_interval",
		128: "restart_syscall",
		129: "kill",
		130: "tkill",
		131: "tgkill",
		132: "sigaltstack",
		133: "rt_sigsuspend",
		134: "rt_sigaction",
		135: "rt_sigprocmask",
		136: "rt_sigpending",
		137: "rt_sigtimedwait",
		138: "rt_sigqueueinfo",
		139: "rt_sigreturn",
		140: "setpriority",
		141: "getpriority",
		142: "reboot",
		143: "setregid",
		144: "setgid",
		145: "setreuid",
		146: "setuid",
		147: "setresuid",
		148: "getresuid",
		149: "setresgid",
		150: "getresgid",
		151: "setfsuid",
		152: "setfsgid",
		153: "times",
		154: "setpgid",
		155: "getpgid",
		156: "getsid",
		157: "setsid",
		158: "getgroups",
		159: "setgroups",
		160: "uname",
		161: "sethostname",
		162: "setdomainname",
		163: "getrlimit",
		164: "setrlimit",
		165: "getrusage",
		166: "umask",
		167: "prctl",
		168: "getcpu",
		169: "gettimeofday",
		170: "settimeofday",
		171: "adjtimex",
		172: "getpid",
		173: "getppid",
		174: "getuid",
		175: "geteuid",
		176: "getgid",
		177: "getegid",
		178: "gettid",
		179: "sysinfo",
		180: "mq_open",
		181: "mq_unlink",
		182: "mq_timedsend",
		183: "mq_timedreceive",
		184: "mq_notify",
		185: "mq_getsetattr",
		186: "msgget",
		187: "msgctl",
		188: "msgrcv",
		189: "msgsnd",
		190: "semget",
		191: "semctl",
		192: "semtimedop",
		193: "semop",
		194: "shmget",
		195: "shmctl",
		196: "shmat",
		197: "shmdt",
		198: "socket",
		199: "socketpair",
		200: "bind",
		201: "listen",
		202: "accept",
		203: "connect",
		204: "getsockname",
		205: "getpeername",
		206: "sendto",
		207: "recvfrom",
		208: "setsockopt",
		209: "getsockopt",
		210: "shutdown",
		211: "sendmsg",
		212: "recvmsg",
		213: "readahead",
		214: "brk",
		215: "munmap",
		216: "mremap",
		217: "add_key",
		218: "request_key",
		219: "keyctl",
		220: "clone",
		221: "execve",
		222: "mmap",
		223: "fadvise64",
		224: "swapon",
		225: "swapoff",
		226: "mprotect",
		227: "msync",
		228: "mlock",
		229: "munlock",
		230: "mlockall",
		231: "munlockall",
		232: "mincore",
		233: "madvise",
		234: "remap_file_pages",
		235: "mbind",
		236: "get_mempolicy",
		237: "set_mempolicy",
		238: "migrate_pages",
		239: "move_pages",
		240: "rt_tgsigqueueinfo",
		241: "perf_event_open",
		242: "accept4",
		243: "recvmmsg",
		260: "wait4",
		261: "prlimit64",
		262: "fanotify_init",
		263: "fanotify_mark",
		264: "name_to_handle_at",
		265: "open_by_handle_at",
		266: "clock_adjtime",
		267: "syncfs",
		268: "setns",
		269: "sendmmsg",
		270: "process_vm_readv",
		271: "process_vm_writev",
		272: "kcmp",
		273: "finit_module",
		274: "sched_setattr",
		275: "sched_getattr",
		276: "renameat2",
		277: "seccomp",
		278: "getrandom",
		279: "memfd_create",
		280: "bpf",
		281: "execveat",
		282: "userfaultfd",
		283: "membarrier",
		284: "mlock2",
		285: "copy_file_range",
	},
	"arm": {
		0:   "restart_syscall",
		1:   "exit",
		2:   "fork",
		3:   "read",
		4:   "write",
		5:   "open",
		6:   "close",
		8:   "creat",
		9:   "link",
		10:  "unlink",
		11:  "execve",
		12:  "chdir",
		13:  "time",
		14:  "mknod",
		15:  "chmod",
		16:  "lchown",
		19:  "lseek",
		20:  "getpid",
		21:  "mount",
		22:  "umount",
		23:  "setuid",
		24:  "getuid",
		25:  "stime",
		26:  "ptrace",
		27:  "alarm",
		29:  "pause",
		30:  "utime",
		33:  "access",
		34:  "nice",
		36:  "sync",
		37:  "kill",
		38:  "rename",
		39:  "mkdir",
		40:  "rmdir",
		41:  "dup",
		42:  "pipe",
		43:  "times",
		45:  "brk",
		46:  "setgid",
		47:  "getgid",
		49:  "geteuid",
		50:  "getegid",
		51:  "acct",
		52:  "umount2",
		54:  "ioctl",
		55:  "fcntl",
		57:  "setpgid",
		60:  "umask",
		61:  "chroot",
		62:  "ustat",
		63:  "dup2",
		64:  "getppid",
		65:  "getpgrp",
		66:  "setsid",
		67:  "sigaction",
		70:  "setreuid",
		71:  "setregid",
		72:  "sigsuspend",
		73:  "sigpending",
		74:  "sethostname",
		75:  "setrlimit",
		76:  "getrlimit",
		77:  "getrusage",
		78:  "gettimeofday",
		79:  "settimeofday",
		80:  "getgroups",
		81:  "setgroups",
		82:  "select",
		83:  "symlink",
		85:  "readlink",
		86:  "uselib",
		87:  "swapon",
		88:  "reboot",
		89:  "readdir",
		90:  "mmap",
		91:  "munmap",
		92:  "truncate",
		93:  "ftruncate",
		94:  "fchmod",
		95:  "fchown",
		96:  "getpriority",
		97:  "setpriority",
		99:  "statfs",
		100: "fstatfs",
		102: "socketcall",
		103: "syslog",
		104: "setitimer",
		105: "getitimer",
		106: "stat",
		107: "lstat",
		108: "fstat",
		111: "vhangup",
		113: "syscall",
		114: "wait4",
		115: "swapoff",
		116: "sysinfo",
		117: "ipc",
		118: "fsync",
		119: "sigreturn",
		120: "clone",
		121: "setdomainname",
		122: "uname",
		124: "adjtimex",
		125: "mprotect",
		126: "sigprocmask",
		128: "init_module",
		129: "delete_module",
		131: "quotactl",
		132: "getpgid",
		133: "fchdir",
		134: "bdflush",
		135: "sysfs",
		136: "personality",
		138: "setfsuid",
		139: "setfsgid",
		140: "llseek",
		141: "getdents",
		142: "newselect",
		143: "flock",
		144: "msync",
		145: "readv",
		146: "writev",
		147: "getsid",
		148: "fdatasync",
		149: "sysctl",
		150: "mlock",
		151: "munlock",
		152: "mlockall",
		153: "munlockall",
		154: "sched_setparam",
		155: "sched_getparam",
		156: "sched_setscheduler",
		157: "sched_getscheduler",
		158: "sched_yield",
		159: "sched_get_priority_max",
		160: "sched_get_priority_min",
		161: "sched_rr_get_interval",
		162: "nanosleep",
		163: "mremap",
		164: "setresuid",
		165: "getresuid",
		168: "poll",
		169: "nfsservctl",
		170: "setresgid",
		171: "getresgid",
		172: "prctl",
		173: "rt_sigreturn",
		174: "rt_sigaction",
		175: "rt_sigprocmask",
		176: "rt_sigpending",
		177: "rt_sigtimedwait",
		178: "rt_sigqueueinfo",
		179: "rt_sigsuspend",
		180: "pread64",
		181: "pwrite64",
		182: "chown",
		183: "getcwd",
		184: "capget",
		185: "capset",
		186: "sigaltstack",
		187: "sendfile",
		190: "vfork",
		191: "ugetrlimit",
		192: "mmap2",
		193: "truncate64",
		194: "ftruncate64",
		195: "stat64",
		196: "lstat64",
		197: "fstat64",
		198: "lchown32",
		199: "getuid32",
		200: "getgid32",
		201: "geteuid32",
		202: "getegid32",
		203: "setreuid32",
		204: "setregid32",
		205: "getgroups32",
		206: "setgroups32",
		207: "fchown32",
		208: "setresuid32",
		209: "getresuid32",
		210: "setresgid32",
		211: "getresgid32",
		212: "chown32",
		213: "setuid32",
		214: "setgid32",
		215: "setfsuid32",
		216: "setfsgid32",
		217: "getdents64",
		218: "pivot_root",
		219: "mincore",
		220: "madvise",
		221: "fcntl64",
		224: "gettid",
		225: "readahead",
		226: "setxattr",
		227: "lsetxattr",
		228: "fsetxattr",
		229: "getxattr",
		230: "lgetxattr",
		231: "fgetxattr",
		232: "listxattr",
		233: "llistxattr",
		234: "flistxattr",
		235: "removexattr",
		236: "lremovexattr",
		237: "fremovexattr",
		238: "tkill",
		239: "sendfile64",
		240: "futex",
		241: "sched_setaffinity",
		242: "sched_getaffinity",
		243: "io_setup",
		244: "io_destroy",
		245: "io_getevents",
		246: "io_submit",
		247: "io_cancel",
		248: "exit_group",
		249: "lookup_dcookie",
		250: "epoll_create",
		251: "epoll_ctl",
		252: "epoll_wait",
		253: "remap_file_pages",
		256: "set_tid_address",
		257: "timer_create",
		258: "timer_settime",
		259: "timer_gettime",
		260: "timer_getoverrun",
		261: "timer_delete",
		262: "clock_settime",
		263: "clock_gettime",
		264: "clock_getres",
		265: "clock_nanosleep",
		266: "statfs64",
		267: "fstatfs64",
		268: "tgkill",
		269: "utimes",
		270: "fadvise64_64",
		271: "pciconfig_iobase",
		272: "pciconfig_read",
		273: "pciconfig_write",
		274: "mq_open",
		275: "mq_unlink",
		276: "mq_timedsend",
		277: "mq_timedreceive",
		278: "mq_notify",
		279: "mq_getsetattr",
		280: "waitid",
		281: "socket",
		282: "bind",
		283: "connect",
		284: "listen",
		285: "accept",
		286: "getsockname",
		287: "getpeername",
		288: "socketpair",
		289: "send",
		290: "sendto",
		291: "recv",
		292: "recvfrom",
		293: "shutdown",
		294: "setsockopt",
		295: "getsockopt",
		296: "sendmsg",
		297: "recvmsg",
		298: "semop",
		299: "semget",
		300: "semctl",
		301: "msgsnd",
		302: "msgrcv",
		303: "msgget",
		304: "msgctl",
		305: "shmat",
		306: "shmdt",
		307: "shmget",
		308: "shmctl",
		309: "add_key",
		310: "request_key",
		311: "keyctl",
		312: "semtimedop",
		313: "vserver",
		314: "ioprio_set",
		315: "ioprio_get",
		316: "inotify_init",
		317: "inotify_add_watch",
		318: "inotify_rm_watch",
		319: "mbind",
		320: "get_mempolicy",
		321: "set_mempolicy",
		322: "openat",
		323: "mkdirat",
		324: "mknodat",
		325: "fchownat",
		326: "futimesat",
		327: "fstatat64",
		328: "unlinkat",
		329: "renameat",
		330: "linkat",
		331: "symlinkat",
		332: "readlinkat",
		333: "fchmodat",
		334: "faccessat",
		337: "unshare",
		338: "set_robust_list",
		339: "get_robust_list",
		340: "splice",
		341: "sync_file_range",
		342: "tee",
		343: "vmsplice",
		344: "move_pages",
		345: "getcpu",
		347: "kexec_load",
		348: "utimensat",
		349: "signalfd",
		350: "timerfd_create",
		351: "eventfd",
		352: "fallocate",
		353: "timerfd_settime",
		354: "timerfd_gettime",
		355: "signalfd4",
		356: "eventfd2",
		357: "epoll_create1",
		358: "dup3",
		359: "pipe2",
		360: "inotify_init1",
		361: "preadv",
		362: "pwritev",
		363: "rt_tgsigqueueinfo",
		364: "perf_event_open",
		365: "recvmmsg",
		366: "accept4",
		367: "fanotify_init",
		368: "fanotify_mark",
		369: "prlimit64",
		370: "name_to_handle_at",
		371: "open_by_handle_at",
		372: "clock_adjtime",
		373: "syncfs",
		374: "sendmmsg",
		375: "setns",
		376: "process_vm_readv",
		377: "process_vm_writev",
		378: "kcmp",
		379: "finit_module",
		380: "sched_setattr",
		381: "sched_getattr",
		382: "renameat2",
		383: "seccomp",
		384: "getrandom",
		385: "memfd_create",
		386: "bpf",
		387: "execveat",
		388: "userfaultfd",
		389: "membarrier",
		390: "mlock2",
		391: "copy_file_range",
	},
	"i386": {
		0:   "restart_syscall",
		1:   "exit",
		2:   "fork",
		3:   "read",
		4:   "write",
		5:   "open",
		6:   "close",
		7:   "waitpid",
		8:   "creat",
		9:   "link",
		10:  "unlink",
		11:  "execve",
		12:  "chdir",
		13:  "time",
		14:  "mknod",
		15:  "chmod",
		16:  "lchown",
		17:  "break",
		18:  "oldstat",
		19:  "lseek",
		20:  "getpid",
		21:  "mount",
		22:  "umount",
		23:  "setuid",
		24:  "getuid",
		25:  "stime",
		26:  "ptrace",
		27:  "alarm",
		28:  "oldfstat",
		29:  "pause",
		30:  "utime",
		31:  "stty",
		32:  "gtty",
		33:  "access",
		34:  "nice",
		35:  "ftime",
		36:  "sync",
		37:  "kill",
		38:  "rename",
		39:  "mkdir",
		40:  "rmdir",
		41:  "dup",
		42:  "pipe",
		43:  "times",
		44:  "prof",
		45:  "brk",
		46:  "setgid",
		47:  "getgid",
		48:  "signal",
		49:  "geteuid",
		50:  "getegid",
		51:  "acct",
		52:  "umount2",
		53:  "lock",
		54:  "ioctl",
		55:  "fcntl",
		56:  "mpx",
		57:  "setpgid",
		58:  "ulimit",
		59:  "oldolduname",
		60:  "umask",
		61:  "chroot",
		62:  "ustat",
		63:  "dup2",
		64:  "getppid",
		65:  "getpgrp",
		66:  "setsid",
		67:  "sigaction",
		68:  "sgetmask",
		69:  "ssetmask",
		70:  "setreuid",
		71:  "setregid",
		72:  "sigsuspend",
		73:  "sigpending",
		74:  "sethostname",
		75:  "setrlimit",
		76:  "getrlimit",
		77:  "getrusage",
		78:  "gettimeofday",
		79:  "settimeofday",
		80:  "getgroups",
		81:  "setgroups",
		82:  "select",
		83:  "symlink",
		84:  "oldlstat",
		85:  "readlink",
		86:  "uselib",
		87:  "swapon",
		88:  "reboot",
		89:  "readdir",
		90:  "mmap",
		91:  "munmap",
		92:  "truncate",
		93:  "ftruncate",
		94:  "fchmod",
		95:  "fchown",
		96:  "getpriority",
		97:  "setpriority",
		98:  "profil",
		99:  "statfs",
		100: "fstatfs",
		101: "ioperm",
		102: "socketcall",
		103: "syslog",
		104: "setitimer",
		105: "getitimer",
		106: "stat",
		107: "lstat",
		108: "fstat",
		109: "olduname",
		110: "iopl",
		111: "vhangup",
		112: "idle",
		113: "vm86old",
		114: "wait4",
		115: "swapoff",
		116: "sysinfo",
		117: "ipc",
		118: "fsync",
		119: "sigreturn",
		120: "clone",
		121: "setdomainname",
		122: "uname",
		123: "modify_ldt",
		124: "adjtimex",
		125: "mprotect",
		126: "sigprocmask",
		127: "create_module",
		128: "init_module",
		129: "delete_module",
		130: "get_kernel_syms",
		131: "quotactl",
		132: "getpgid",
		133: "fchdir",
		134: "bdflush",
		135: "sysfs",
		136: "personality",
		137: "afs_syscall",
		138: "setfsuid",
		139: "setfsgid",
		140: "_llseek",
		141: "getdents",
		142: "_newselect",
		143: "flock",
		144: "msync",
		145: "readv",
		146: "writev",
		147: "getsid",
		148: "fdatasync",
		149: "_sysctl",
		150: "mlock",
		151: "munlock",
		152: "mlockall",
		153: "munlockall",
		154: "sched_setparam",
		155: "sched_getparam",
		156: "sched_setscheduler",
		157: "sched_getscheduler",
		158: "sched_yield",
		159: "sched_get_priority_max",
		160: "sched_get_priority_min",
		161: "sched_rr_get_interval",
		162: "nanosleep",
		163: "mremap",
		164: "setresuid",
		165: "getresuid",
		166: "vm86",
		167: "query_module",
		168: "poll",
		169: "nfsservctl",
		170: "setresgid",
		171: "getresgid",
		172: "prctl",
		173: "rt_sigreturn",
		174: "rt_sigaction",
		175: "rt_sigprocmask",
		176: "rt_sigpending",
		177: "rt_sigtimedwait",
		178: "rt_sigqueueinfo",
		179: "rt_sigsuspend",
		180: "pread64",
		181: "pwrite64",
		182: "chown",
		183: "getcwd",
		184: "capget",
		185: "capset",
		186: "sigaltstack",
		187: "sendfile",
		188: "getpmsg",
		189: "putpmsg",
		190: "vfork",
		191: "ugetrlimit",
		192: "mmap2",
		193: "truncate64",
		194: "ftruncate64",
		195: "stat64",
		196: "lstat64",
		197: "fstat64",
		198: "lchown32",
		199: "getuid32",
		200: "getgid32",
		201: "geteuid32",
		202: "getegid32",
		203: "setreuid32",
		204: "setregid32",
		205: "getgroups32",
		206: "setgroups32",
		207: "fchown32",
		208: "setresuid32",
		209: "getresuid32",
		210: "setresgid32",
		211: "getresgid32",
		212: "chown32",
		213: "setuid32",
		214: "setgid32",
		215: "setfsuid32",
		216: "setfsgid32",
		217: "pivot_root",
		218: "mincore",
		219: "madvise1",
		220: "getdents64",
		221: "fcntl64",
		224: "gettid",
		225: "readahead",
		226: "setxattr",
		227: "lsetxattr",
		228: "fsetxattr",
		229: "getxattr",
		230: "lgetxattr",
		231: "fgetxattr",
		232: "listxattr",
		233: "llistxattr",
		234: "flistxattr",
		235: "removexattr",
		236: "lremovexattr",
		237: "fremovexattr",
		238: "tkill",
		239: "sendfile64",
		240: "futex",
		241: "sched_setaffinity",
		242: "sched_getaffinity",
		243: "set_thread_area",
		244: "get_thread_area",
		245: "io_setup",
		246: "io_destroy",
		247: "io_getevents",
		248: "io_submit",
		249: "io_cancel",
		250: "fadvise64",
		252: "exit_group",
		253: "lookup_dcookie",
		254: "epoll_create",
		255: "epoll_ctl",
		256: "epoll_wait",
		257: "remap_file_pages",
		258: "set_tid_address",
		259: "timer_create",
		260: "timer_settime",
		261: "timer_gettime",
		262: "timer_getoverrun",
		263: "timer_delete",
		264: "clock_settime",
		265: "clock_gettime",
		266: "clock_getres",
		267: "clock_nanosleep",
		268: "statfs64",
		269: "fstatfs64",
		270: "tgkill",
		271: "utimes",
		272: "fadvise64_64",
		273: "vserver",
		274: "mbind",
		275: "get_mempolicy",
		276: "set_mempolicy",
		277: "mq_open",
		278: "mq_unlink",
		279: "mq_timedsend",
		280: "mq_timedreceive",
		281: "mq_notify",
		282: "mq_getsetattr",
		283: "sys_kexec_load",
		284: "waitid",
		286: "add_key",
		287: "request_key",
		288: "keyctl",
		289: "ioprio_set",
		290: "ioprio_get",
		291: "inotify_init",
		292: "inotify_add_watch",
		293: "inotify_rm_watch",
		294: "migrate_pages",
		295: "openat",
		296: "mkdirat",
		297: "mknodat",
		298: "fchownat",
		299: "futimesat",
		300: "fstatat64",
		301: "unlinkat",
		302: "renameat",
		303: "linkat",
		304: "symlinkat",
		305: "readlinkat",
		306: "fchmodat",
		307: "faccessat",
		308: "pselect6",
		309: "ppoll",
		310: "unshare",
		311: "set_robust_list",
		312: "get_robust_list",
		313: "splice",
		314: "sync_file_range",
		315: "tee",
		316: "vmsplice",
		317: "move_pages",
		318: "getcpu",
		319: "epoll_pwait",
		320: "utimensat",
		321: "signalfd",
		322: "timerfd",
		323: "eventfd",
		324: "fallocate",
		325: "timerfd_settime",
		326: "timerfd_gettime",
		327: "signalfd4",
		328: "eventfd2",
		329: "epoll_create1",
		330: "dup3",
		331: "pipe2",
		332: "inotify_init1",
		333: "preadv",
		334: "pwritev",
		335: "rt_tgsigqueueinfo",
		336: "perf_event_open",
		337: "recvmmsg",
		338: "fanotify_init",
		339: "fanotify_mark",
		340: "prlimit64",
		341: "name_to_handle_at",
		342: "open_by_handle_at",
		343: "clock_adjtime",
		344: "syncfs",
		345: "sendmmsg",
		346: "setns",
		347: "process_vm_readv",
		348: "process_vm_writev",
		349: "kcmp",
		350: "finit_module",
		351: "sched_setattr",
		352: "sched_getattr",
		353: "renameat2",
		354: "seccomp",
		355: "getrandom",
		356: "memfd_create",
		357: "bpf",
		358: "execveat",
		359: "socket",
		360: "socketpair",
		361: "bind",
		362: "connect",
		363: "listen",
		364: "accept4",
		365: "getsockopt",
		366: "setsockopt",
		367: "getsockname",
		368: "getpeername",
		369: "sendto",
		370: "sendmsg",
		371: "recvfrom",
		372: "recvmsg",
		373: "shutdown",
		374: "userfaultfd",
		375: "membarrier",
		376: "mlock2",
		377: "copy_file_range",
	},
	"ia64": {
		1024: "ni_syscall",
		1025: "exit",
		1026: "read",
		1027: "write",
		1028: "open",
		1029: "close",
		1030: "creat",
		1031: "link",
		1032: "unlink",
		1033: "execve",
		1034: "chdir",
		1035: "fchdir",
		1036: "utimes",
		1037: "mknod",
		1038: "chmod",
		1039: "chown",
		1040: "lseek",
		1041: "getpid",
		1042: "getppid",
		1043: "mount",
		1044: "umount",
		1045: "setuid",
		1046: "getuid",
		1047: "geteuid",
		1048: "ptrace",
		1049: "access",
		1050: "sync",
		1051: "fsync",
		1052: "fdatasync",
		1053: "kill",
		1054: "rename",
		1055: "mkdir",
		1056: "rmdir",
		1057: "dup",
		1058: "pipe",
		1059: "times",
		1060: "brk",
		1061: "setgid",
		1062: "getgid",
		1063: "getegid",
		1064: "acct",
		1065: "ioctl",
		1066: "fcntl",
		1067: "umask",
		1068: "chroot",
		1069: "ustat",
		1070: "dup2",
		1071: "setreuid",
		1072: "setregid",
		1073: "getresuid",
		1074: "setresuid",
		1075: "getresgid",
		1076: "setresgid",
		1077: "getgroups",
		1078: "setgroups",
		1079: "getpgid",
		1080: "setpgid",
		1081: "setsid",
		1082: "getsid",
		1083: "sethostname",
		1084: "setrlimit",
		1085: "getrlimit",
		1086: "getrusage",
		1087: "gettimeofday",
		1088: "settimeofday",
		1089: "select",
		1090: "poll",
		1091: "symlink",
		1092: "readlink",
		1093: "uselib",
		1094: "swapon",
		1095: "swapoff",
		1096: "reboot",
		1097: "truncate",
		1098: "ftruncate",
		1099: "fchmod",
		1100: "fchown",
		1101: "getpriority",
		1102: "setpriority",
		1103: "statfs",
		1104: "fstatfs",
		1105: "gettid",
		1106: "semget",
		1107: "semop",
		1108: "semctl",
		1109: "msgget",
		1110: "msgsnd",
		1111: "msgrcv",
		1112: "msgctl",
		1113: "shmget",
		1114: "shmat",
		1115: "shmdt",
		1116: "shmctl",
		1117: "syslog",
		1118: "setitimer",
		1119: "getitimer",
		1120: "tux",
		1123: "vhangup",
		1124: "lchown",
		1125: "remap_file_pages",
		1126: "wait4",
		1127: "sysinfo",
		1128: "clone",
		1129: "setdomainname",
		1130: "uname",
		1131: "adjtimex",
		1133: "init_module",
		1134: "delete_module",
		1137: "quotactl",
		1138: "bdflush",
		1139: "sysfs",
		1140: "personality",
		1141: "afs_syscall",
		1142: "setfsuid",
		1143: "setfsgid",
		1144: "getdents",
		1145: "flock",
		1146: "readv",
		1147: "writev",
		1148: "pread64",
		1149: "pwrite64",
		1150: "_sysctl",
		1151: "mmap",
		1152: "munmap",
		1153: "mlock",
		1154: "mlockall",
		1155: "mprotect",
		1156: "mremap",
		1157: "msync",
		1158: "munlock",
		1159: "munlockall",
		1160: "sched_getparam",
		1161: "sched_setparam",
		1162: "sched_getscheduler",
		1163: "sched_setscheduler",
		1164: "sched_yield",
		1165: "sched_get_priority_max",
		1166: "sched_get_priority_min",
		1167: "sched_rr_get_interval",
		1168: "nanosleep",
		1169: "nfsservctl",
		1170: "prctl",
		1172: "mmap2",
		1173: "pciconfig_read",
		1174: "pciconfig_write",
		1175: "perfmonctl",
		1176: "sigaltstack",
		1177: "rt_sigaction",
		1178: "rt_sigpending",
		1179: "rt_sigprocmask",
		1180: "rt_sigqueueinfo",
		1181: "rt_sigreturn",
		1182: "rt_sigsuspend",
		1183: "rt_sigtimedwait",
		1184: "getcwd",
		1185: "capget",
		1186: "capset",
		1187: "sendfile",
		1188: "getpmsg",
		1189: "putpmsg",
		1190: "socket",
		1191: "bind",
		1192: "connect",
		1193: "listen",
		1194: "accept",
		1195: "getsockname",
		1196: "getpeername",
		1197: "socketpair",
		1198: "send",
		1199: "sendto",
		1200: "recv",
		1201: "recvfrom",
		1202: "shutdown",
		1203: "setsockopt",
		1204: "getsockopt",
		1205: "sendmsg",
		1206: "recvmsg",
		1207: "pivot_root",
		1208: "mincore",
		1209: "madvise",
		1210: "stat",
		1211: "lstat",
		1212: "fstat",
		1213: "clone2",
		1214: "getdents64",
		1215: "getunwind",
		1216: "readahead",
		1217: "setxattr",
		1218: "lsetxattr",
		1219: "fsetxattr",
		1220: "getxattr",
		1221: "lgetxattr",
		1222: "fgetxattr",
		1223: "listxattr",
		1224: "llistxattr",
		1225: "flistxattr",
		1226: "removexattr",
		1227: "lremovexattr",
		1228: "fremovexattr",
		1229: "tkill",
		1230: "futex",
		1231: "sched_setaffinity",
		1232: "sched_getaffinity",
		1233: "set_tid_address",
		1234: "fadvise64",
		1235: "tgkill",
		1236: "exit_group",
		1237: "lookup_dcookie",
		1238: "io_setup",
		1239: "io_destroy",
		1240: "io_getevents",
		1241: "io_submit",
		1242: "io_cancel",
		1243: "epoll_create",
		1244: "epoll_ctl",
		1245: "epoll_wait",
		1246: "restart_syscall",
		1247: "semtimedop",
		1248: "timer_create",
		1249: "timer_settime",
		1250: "timer_gettime",
		1251: "timer_getoverrun",
		1252: "timer_delete",
		1253: "clock_settime",
		1254: "clock_gettime",
		1255: "clock_getres",
		1256: "clock_nanosleep",
		1257: "fstatfs64",
		1258: "statfs64",
		1259: "mbind",
		1260: "get_mempolicy",
		1261: "set_mempolicy",
		1262: "mq_open",
		1263: "mq_unlink",
		1264: "mq_timedsend",
		1265: "mq_timedreceive",
		1266: "mq_notify",
		1267: "mq_getsetattr",
		1268: "kexec_load",
		1269: "vserver",
		1270: "waitid",
		1271: "add_key",
		1272: "request_key",
		1273: "keyctl",
		1274: "ioprio_set",
		1275: "ioprio_get",
		1276: "set_zone_reclaim",
		1277: "inotify_init",
		1278: "inotify_add_watch",
		1279: "inotify_rm_watch",
		1280: "migrate_pages",
		1281: "openat",
		1282: "mkdirat",
		1283: "mknodat",
		1284: "fchownat",
		1285: "futimesat",
		1286: "newfstatat",
		1287: "unlinkat",
		1288: "renameat",
		1289: "linkat",
		1290: "symlinkat",
		1291: "readlinkat",
		1292: "fchmodat",
		1293: "faccessat",
		1294: "pselect",
		1295: "ppoll",
		1296: "unshare",
		1297: "splice",
		1298: "set_robust_list",
		1299: "get_robust_list",
		1300: "sync_file_range",
		1301: "tee",
		1302: "vmsplice",
		1303: "fallocate",
		1304: "getcpu",
		1305: "epoll_pwait",
		1306: "utimensat",
		1307: "signalfd",
		1308: "timerfd",
		1309: "eventfd",
		1310: "timerfd_create",
		1311: "timerfd_settime",
		1312: "timerfd_gettime",
		1313: "signalfd4",
		1314: "eventfd2",
		1315: "epoll_create1",
		1316: "dup3",
		1317: "pipe2",
		1318: "inotify_init1",
		1319: "preadv",
		1320: "pwritev",
		1321: "rt_tgsigqueueinfo",
		1322: "recvmmsg",
		1323: "fanotify_init",
		1324: "fanotify_mark",
		1325: "prlimit64",
		1326: "name_to_handle_at",
		1327: "open_by_handle_at",
		1328: "clock_adjtime",
		1329: "syncfs",
		1330: "setns",
		1331: "sendmmsg",
		1332: "process_vm_readv",
		1333: "process_vm_writev",
		1334: "accept4",
		1335: "finit_module",
		1336: "sched_setattr",
		1337: "sched_getattr",
		1338: "renameat2",
		1339: "getrandom",
		1340: "memfd_create",
		1341: "bpf",
		1342: "execveat",
		1343: "userfaultfd",
		1344: "membarrier",
		1345: "kcmp",
		1346: "mlock2",
		1347: "copy_file_range",
	},
	"ppc": {
		1:   "exit",
		2:   "fork",
		3:   "read",
		4:   "write",
		5:   "open",
		6:   "close",
		7:   "waitpid",
		8:   "creat",
		9:   "link",
		10:  "unlink",
		11:  "execve",
		12:  "chdir",
		13:  "time",
		14:  "mknod",
		15:  "chmod",
		16:  "lchown",
		17:  "break",
		18:  "oldstat",
		19:  "lseek",
		20:  "getpid",
		21:  "mount",
		22:  "umount",
		23:  "setuid",
		24:  "getuid",
		25:  "stime",
		26:  "ptrace",
		27:  "alarm",
		28:  "oldfstat",
		29:  "pause",
		30:  "utime",
		31:  "stty",
		32:  "gtty",
		33:  "access",
		34:  "nice",
		35:  "ftime",
		36:  "sync",
		37:  "kill",
		38:  "rename",
		39:  "mkdir",
		40:  "rmdir",
		41:  "dup",
		42:  "pipe",
		43:  "times",
		44:  "prof",
		45:  "brk",
		46:  "setgid",
		47:  "getgid",
		48:  "signal",
		49:  "geteuid",
		50:  "getegid",
		51:  "acct",
		52:  "umount2",
		53:  "lock",
		54:  "ioctl",
		55:  "fcntl",
		56:  "mpx",
		57:  "setpgid",
		58:  "ulimit",
		59:  "oldolduname",
		60:  "umask",
		61:  "chroot",
		62:  "ustat",
		63:  "dup2",
		64:  "getppid",
		65:  "getpgrp",
		66:  "setsid",
		67:  "sigaction",
		68:  "sgetmask",
		69:  "ssetmask",
		70:  "setreuid",
		71:  "setregid",
		72:  "sigsuspend",
		73:  "sigpending",
		74:  "sethostname",
		75:  "setrlimit",
		76:  "getrlimit",
		77:  "getrusage",
		78:  "gettimeofday",
		79:  "settimeofday",
		80:  "getgroups",
		81:  "setgroups",
		82:  "select",
		83:  "symlink",
		84:  "oldlstat",
		85:  "readlink",
		86:  "uselib",
		87:  "swapon",
		88:  "reboot",
		89:  "readdir",
		90:  "mmap",
		91:  "munmap",
		92:  "truncate",
		93:  "ftruncate",
		94:  "fchmod",
		95:  "fchown",
		96:  "getpriority",
		97:  "setpriority",
		98:  "profil",
		99:  "statfs",
		100: "fstatfs",
		101: "ioperm",
		102: "socketcall",
		103: "syslog",
		104: "setitimer",
		105: "getitimer",
		106: "stat",
		107: "lstat",
		108: "fstat",
		109: "olduname",
		110: "iopl",
		111: "vhangup",
		112: "idle",
		113: "vm86",
		114: "wait4",
		115: "swapoff",
		116: "sysinfo",
		117: "ipc",
		118: "fsync",
		119: "sigreturn",
		120: "clone",
		121: "setdomainname",
		122: "uname",
		123: "modify_ldt",
		124: "adjtimex",
		125: "mprotect",
		126: "sigprocmask",
		127: "create_module",
		128: "init_module",
		129: "delete_module",
		130: "get_kernel_syms",
		131: "quotactl",
		132: "getpgid",
		133: "fchdir",
		134: "bdflush",
		135: "sysfs",
		136: "personality",
		137: "afs_syscall",
		138: "setfsuid",
		139: "setfsgid",
		140: "_llseek",
		141: "getdents",
		142: "_newselect",
		143: "flock",
		144: "msync",
		145: "readv",
		146: "writev",
		147: "getsid",
		148: "fdatasync",
		149: "_sysctl",
		150: "mlock",
		151: "munlock",
		152: "mlockall",
		153: "munlockall",
		154: "sched_setparam",
		155: "sched_getparam",
		156: "sched_setscheduler",
		157: "sched_getscheduler",
		158: "sched_yield",
		159: "sched_get_priority_max",
		160: "sched_get_priority_min",
		161: "sched_rr_get_interval",
		162: "nanosleep",
		163: "mremap",
		164: "setresuid",
		165: "getresuid",
		166: "query_module",
		167: "poll",
		168: "nfsservctl",
		169: "setresgid",
		170: "getresgid",
		171: "prctl",
		172: "rt_sigreturn",
		173: "rt_sigaction",
		174: "rt_sigprocmask",
		175: "rt_sigpending",
		176: "rt_sigtimedwait",
		177: "rt_sigqueueinfo",
		178: "rt_sigsuspend",
		179: "pread",
		180: "pwrite",
		181: "chown",
		182: "getcwd",
		183: "capget",
		184: "capset",
		185: "sigaltstack",
		186: "sendfile",
		187: "getpmsg",
		188: "putpmsg",
		189: "vfork",
		190: "ugetrlimit",
		191: "readahead",
		192: "mmap2",
		193: "truncate64",
		194: "ftruncate64",
		195: "stat64",
		196: "lstat64",
		197: "fstat64",
		198: "pciconfig_read",
		199: "pciconfig_write",
		200: "pciconfig_iobase",
		201: "multiplexer",
		202: "getdents64",
		203: "pivot_root",
		204: "fcntl64",
		205: "madvise",
		206: "mincore",
		207: "gettid",
		208: "tkill",
		209: "setxattr",
		210: "lsetxattr",
		211: "fsetxattr",
		212: "getxattr",
		213: "lgetxattr",
		214: "fgetxattr",
		215: "listxattr",
		216: "llistxattr",
		217: "flistxattr",
		218: "removexattr",
		219: "lremovexattr",
		220: "fremovexattr",
		221: "futex",
		222: "sched_setaffinity",
		223: "sched_getaffinity",
		225: "tuxcall",
		226: "sendfile64",
		227: "io_setup",
		228: "io_destroy",
		229: "io_getevents",
		230: "io_submit",
		231: "io_cancel",
		232: "set_tid_address",
		233: "fadvise64",
		234: "exit_group",
		235: "lookup_dcookie",
		236: "epoll_create",
		237: "epoll_ctl",
		238: "epoll_wait",
		239: "remap_file_pages",
		240: "timer_create",
		241: "timer_settime",
		242: "timer_gettime",
		243: "timer_getoverrun",
		244: "timer_delete",
		245: "clock_settime",
		246: "clock_gettime",
		247: "clock_getres",
		248: "clock_nanosleep",
		249: "swapcontext",
		250: "tgkill",
		251: "utimes",
		252: "statfs64",
		253: "fstatfs64",
		254: "fadvise64_64",
		255: "rtas",
		262: "mq_open",
		263: "mq_unlink",
		264: "mq_timedsend",
		265: "mq_timedreceive",
		266: "mq_notify",
		267: "mq_getsetattr",
		268: "kexec_load",
		269: "add_key",
		270: "request_key",
		271: "keyctl",
		272: "waitid",
		273: "ioprio_set",
		274: "ioprio_get",
		275: "inotify_init",
		276: "inotify_add_watch",
		277: "inotify_rm_watch",
		278: "spu_run",
		279: "spu_create",
		280: "pselect6",
		281: "ppoll",
		282: "unshare",
		283: "splice",
		284: "tee",
		285: "vmsplice",
		286: "openat",
		287: "mkdirat",
		288: "mknodat",
		289: "fchownat",
		290: "futimesat",
		291: "fstatat64",
		292: "unlinkat",
		293: "renameat",
		294: "linkat",
		295: "symlinkat",
		296: "readlinkat",
		297: "fchmodat",
		298: "faccessat",
		299: "get_robust_list",
		300: "set_robust_list",
		301: "move_pages",
		302: "getcpu",
		303: "epoll_pwait",
		304: "utimensat",
		305: "signalfd",
		306: "timerfd",
		307: "eventfd",
		308: "sync_file_range2",
		309: "fallocate",
		310: "subpage_prot",
		311: "timerfd_settime",
		312: "timerfd_gettime",
		313: "signalfd4",
		314: "eventfd2",
		315: "epoll_create1",
		316: "dup3",
		317: "pipe2",
		318: "inotify_init1",
		319: "perf_counter_open",
		320: "preadv",
		321: "pwritev",
		322: "rt_tgsigqueueinfo",
		323: "fanotify_init",
		324: "fanotify_mark",
		325: "prlimit64",
		326: "socket",
		327: "bind",
		328: "connect",
		329: "listen",
		330: "accept",
		331: "getsockname",
		332: "getpeername",
		333: "socketpair",
		334: "send",
		335: "sendto",
		336: "recv",
		337: "recvfrom",
		338: "shutdown",
		339: "setsockopt",
		340: "getsockopt",
		341: "sendmsg",
		342: "recvmsg",
		343: "recvmmsg",
		344: "accept4",
		345: "name_to_handle_at",
		346: "open_by_handle_at",
		347: "clock_adjtime",
		348: "syncfs",
		349: "sendmmsg",
		350: "setns",
		351: "process_vm_readv",
		352: "process_vm_writev",
		353: "finit_module",
		354: "kcmp",
		355: "sched_setattr",
		356: "sched_getattr",
		357: "renameat2",
		358: "seccomp",
		359: "getrandom",
		360: "memfd_create",
		361: "bpf",
		362: "execveat",
		363: "switch_endian",
		364: "userfaultfd",
		365: "membarrier",
		378: "mlock2",
		379: "copy_file_range",
	},
	"s390": {
		1:   "exit",
		2:   "fork",
		3:   "read",
		4:   "write",
		5:   "open",
		6:   "close",
		8:   "creat",
		9:   "link",
		10:  "unlink",
		11:  "execve",
		12:  "chdir",
		13:  "time",
		14:  "mknod",
		15:  "chmod",
		16:  "lchown",
		19:  "lseek",
		20:  "getpid",
		21:  "mount",
		22:  "umount",
		23:  "setuid",
		24:  "getuid",
		25:  "stime",
		26:  "ptrace",
		27:  "alarm",
		29:  "pause",
		30:  "utime",
		33:  "access",
		34:  "nice",
		36:  "sync",
		37:  "kill",
		38:  "rename",
		39:  "mkdir",
		40:  "rmdir",
		41:  "dup",
		42:  "pipe",
		43:  "times",
		45:  "brk",
		46:  "setgid",
		47:  "getgid",
		48:  "signal",
		49:  "geteuid",
		50:  "getegid",
		51:  "acct",
		52:  "umount2",
		54:  "ioctl",
		55:  "fcntl",
		57:  "setpgid",
		60:  "umask",
		61:  "chroot",
		62:  "ustat",
		63:  "dup2",
		64:  "getppid",
		65:  "getpgrp",
		66:  "setsid",
		67:  "sigaction",
		70:  "setreuid",
		71:  "setregid",
		72:  "sigsuspend",
		73:  "sigpending",
		74:  "sethostname",
		75:  "setrlimit",
		76:  "getrlimit",
		77:  "getrusage",
		78:  "gettimeofday",
		79:  "settimeofday",
		80:  "getgroups",
		81:  "setgroups",
		83:  "symlink",
		85:  "readlink",
		86:  "uselib",
		87:  "swapon",
		88:  "reboot",
		89:  "readdir",
		90:  "mmap",
		91:  "munmap",
		92:  "truncate",
		93:  "ftruncate",
		94:  "fchmod",
		95:  "fchown",
		96:  "getpriority",
		97:  "setpriority",
		99:  "statfs",
		100: "fstatfs",
		101: "ioperm",
		102: "socketcall",
		103: "syslog",
		104: "setitimer",
		105: "getitimer",
		106: "stat",
		107: "lstat",
		108: "fstat",
		111: "vhangup",
		112: "idle",
		114: "wait4",
		115: "swapoff",
		116: "sysinfo",
		117: "ipc",
		118: "fsync",
		119: "sigreturn",
		120: "clone",
		121: "setdomainname",
		122: "uname",
		124: "adjtimex",
		125: "mprotect",
		126: "sigprocmask",
		127: "create_module",
		128: "init_module",
		129: "delete_module",
		130: "get_kernel_syms",
		131: "quotactl",
		132: "getpgid",
		133: "fchdir",
		134: "bdflush",
		135: "sysfs",
		136: "personality",
		137: "afs_syscall",
		138: "setfsuid",
		139: "setfsgid",
		140: "_llseek",
		141: "getdents",
		142: "_newselect",
		143: "flock",
		144: "msync",
		145: "readv",
		146: "writev",
		147: "getsid",
		148: "fdatasync",
		149: "_sysctl",
		150: "mlock",
		151: "munlock",
		152: "mlockall",
		153: "munlockall",
		154: "sched_setparam",
		155: "sched_getparam",
		156: "sched_setscheduler",
		157: "sched_getscheduler",
		158: "sched_yield",
		159: "sched_get_priority_max",
		160: "sched_get_priority_min",
		161: "sched_rr_get_interval",
		162: "nanosleep",
		163: "mremap",
		164: "setresuid",
		165: "getresuid",
		167: "query_module",
		168: "poll",
		169: "nfsservctl",
		170: "setresgid",
		171: "getresgid",
		172: "prctl",
		173: "rt_sigreturn",
		174: "rt_sigaction",
		175: "rt_sigprocmask",
		176: "rt_sigpending",
		177: "rt_sigtimedwait",
		178: "rt_sigqueueinfo",
		179: "rt_sigsuspend",
		180: "pread",
		181: "pwrite",
		182: "chown",
		183: "getcwd",
		184: "capget",
		185: "capset",
		186: "sigaltstack",
		187: "sendfile",
		188: "getpmsg",
		189: "putpmsg",
		190: "vfork",
		191: "ugetrlimit",
		192: "mmap2",
		193: "truncate64",
		194: "ftruncate64",
		195: "stat64",
		196: "lstat64",
		197: "fstat64",
		198: "lchown32",
		199: "getuid32",
		200: "getgid32",
		201: "geteuid32",
		202: "getegid32",
		203: "setreuid32",
		204: "setregid32",
		205: "getgroups32",
		206: "setgroups32",
		207: "fchown32",
		208: "setresuid32",
		209: "getresuid32",
		210: "setresgid32",
		211: "getresgid32",
		212: "chown32",
		213: "setuid32",
		214: "setgid32",
		215: "setfsuid32",
		216: "setfsgid32",
		217: "pivot_root",
		218: "mincore",
		219: "madvise",
		220: "getdents64",
		221: "fcntl64",
		222: "readahead",
		223: "sendfile64",
		224: "setxattr",
		225: "lsetxattr",
		226: "fsetxattr",
		227: "getxattr",
		228: "lgetxattr",
		229: "fgetxattr",
		230: "listxattr",
		231: "llistxattr",
		232: "flistxattr",
		233: "removexattr",
		234: "lremovexattr",
		235: "fremovexattr",
		236: "gettid",
		237: "tkill",
		238: "futex",
		239: "sched_setaffinity",
		240: "sched_getaffinity",
		241: "tgkill",
		243: "io_setup",
		244: "io_destroy",
		245: "io_getevents",
		246: "io_submit",
		247: "io_cancel",
		248: "exit_group",
		249: "epoll_create",
		250: "epoll_ctl",
		251: "epoll_wait",
		252: "set_tid_address",
		253: "fadvise64",
		254: "timer_create",
		255: "timer_settime",
		256: "timer_gettime",
		257: "timer_getoverrun",
		258: "timer_delete",
		259: "clock_settime",
		260: "clock_gettime",
		261: "clock_getres",
		262: "clock_nanosleep",
		264: "fadvise64_64",
		265: "statfs64",
		266: "fstatfs64",
		267: "remap_file_pages",
		271: "mq_open",
		272: "mq_unlink",
		273: "mq_timedsend",
		274: "mq_timedreceive",
		275: "mq_notify",
		276: "mq_getsetattr",
		277: "kexec_load",
		278: "add_key",
		279: "request_key",
		280: "keyctl",
		281: "waitid",
		282: "ioprio_set",
		283: "ioprio_get",
		284: "inotify_init",
		285: "inotify_add_watch",
		286: "inotify_rm_watch",
		288: "openat",
		289: "mkdirat",
		290: "mknodat",
		291: "fchownat",
		292: "futimesat",
		293: "fstatat64",
		294: "unlinkat",
		295: "renameat",
		296: "linkat",
		297: "symlinkat",
		298: "readlinkat",
		299: "fchmodat",
		300: "faccessat",
		301: "pselect6",
		302: "ppoll",
		303: "unshare",
		304: "set_robust_list",
		305: "get_robust_list",
		306: "splice",
		307: "sync_file_range",
		308: "tee",
		309: "vmsplice",
		311: "getcpu",
		312: "epoll_pwait",
		313: "utimes",
		314: "fallocate",
		315: "utimensat",
		316: "signalfd",
		317: "timerfd",
		318: "eventfd",
		319: "timerfd_create",
		320: "timerfd_settime",
		321: "timerfd_gettime",
		322: "signalfd4",
		323: "eventfd2",
		324: "inotify_init1",
		325: "pipe2",
		326: "dup3",
		327: "epoll_create1",
		328: "preadv",
		329: "pwritev",
		330: "rt_tgsigqueueinfo",
		331: "perf_event_open",
		332: "fanotify_init",
		333: "fanotify_mark",
		334: "prlimit64",
		335: "name_to_handle_at",
		336: "open_by_handle_at",
		337: "clock_adjtime",
		338: "syncfs",
		339: "setns",
		340: "process_vm_readv",
		341: "process_vm_writev",
		342: "s390_runtime_instr",
		343: "kcmp",
		344: "finit_module",
		345: "sched_setattr",
		346: "sched_getattr",
		347: "renameat2",
		348: "seccomp",
		349: "getrandom",
		350: "memfd_create",
		351: "bpf",
		352: "s390_pci_mmio_write",
		353: "s390_pci_mmio_read",
		354: "execveat",
		355: "userfaultfd",
		356: "membarrier",
		357: "recvmmsg",
		358: "sendmmsg",
		359: "socket",
		360: "socketpair",
		361: "bind",
		362: "connect",
		363: "listen",
		364: "accept4",
		365: "getsockopt",
		366: "setsockopt",
		367: "getsockname",
		368: "getpeername",
		369: "sendto",
		370: "sendmsg",
		371: "recvfrom",
		372: "recvmsg",
		373: "shutdown",
		374: "mlock2",
		375: "copy_file_range",
	},
	"s390x": {
		1:   "exit",
		2:   "fork",
		3:   "read",
		4:   "write",
		5:   "open",
		6:   "close",
		8:   "creat",
		9:   "link",
		10:  "unlink",
		11:  "execve",
		12:  "chdir",
		14:  "mknod",
		15:  "chmod",
		19:  "lseek",
		20:  "getpid",
		21:  "mount",
		22:  "umount",
		26:  "ptrace",
		27:  "alarm",
		29:  "pause",
		30:  "utime",
		33:  "access",
		34:  "nice",
		36:  "sync",
		37:  "kill",
		38:  "rename",
		39:  "mkdir",
		40:  "rmdir",
		41:  "dup",
		42:  "pipe",
		43:  "times",
		45:  "brk",
		48:  "signal",
		51:  "acct",
		52:  "umount2",
		54:  "ioctl",
		55:  "fcntl",
		57:  "setpgid",
		60:  "umask",
		61:  "chroot",
		62:  "ustat",
		63:  "dup2",
		64:  "getppid",
		65:  "getpgrp",
		66:  "setsid",
		67:  "sigaction",
		72:  "sigsuspend",
		73:  "sigpending",
		74:  "sethostname",
		75:  "setrlimit",
		77:  "getrusage",
		78:  "gettimeofday",
		79:  "settimeofday",
		83:  "symlink",
		85:  "readlink",
		86:  "uselib",
		87:  "swapon",
		88:  "reboot",
		89:  "readdir",
		90:  "mmap",
		91:  "munmap",
		92:  "truncate",
		93:  "ftruncate",
		94:  "fchmod",
		96:  "getpriority",
		97:  "setpriority",
		99:  "statfs",
		100: "fstatfs",
		102: "socketcall",
		103: "syslog",
		104: "setitimer",
		105: "getitimer",
		106: "stat",
		107: "lstat",
		108: "fstat",
		111: "vhangup",
		112: "idle",
		114: "wait4",
		115: "swapoff",
		116: "sysinfo",
		117: "ipc",
		118: "fsync",
		119: "sigreturn",
		120: "clone",
		121: "setdomainname",
		122: "uname",
		124: "adjtimex",
		125: "mprotect",
		126: "sigprocmask",
		127: "create_module",
		128: "init_module",
		129: "delete_module",
		130: "get_kernel_syms",
		131: "quotactl",
		132: "getpgid",
		133: "fchdir",
		134: "bdflush",
		135: "sysfs",
		136: "personality",
		137: "afs_syscall",
		141: "getdents",
		142: "select",
		143: "flock",
		144: "msync",
		145: "readv",
		146: "writev",
		147: "getsid",
		148: "fdatasync",
		149: "_sysctl",
		150: "mlock",
		151: "munlock",
		152: "mlockall",
		153: "munlockall",
		154: "sched_setparam",
		155: "sched_getparam",
		156: "sched_setscheduler",
		157: "sched_getscheduler",
		158: "sched_yield",
		159: "sched_get_priority_max",
		160: "sched_get_priority_min",
		161: "sched_rr_get_interval",
		162: "nanosleep",
		163: "mremap",
		167: "query_module",
		168: "poll",
		169: "nfsservctl",
		172: "prctl",
		173: "rt_sigreturn",
		174: "rt_sigaction",
		175: "rt_sigprocmask",
		176: "rt_sigpending",
		177: "rt_sigtimedwait",
		178: "rt_sigqueueinfo",
		179: "rt_sigsuspend",
		180: "pread",
		181: "pwrite",
		183: "getcwd",
		184: "capget",
		185: "capset",
		186: "sigaltstack",
		187: "sendfile",
		188: "getpmsg",
		189: "putpmsg",
		190: "vfork",
		191: "getrlimit",
		198: "lchown",
		199: "getuid",
		200: "getgid",
		201: "geteuid",
		202: "getegid",
		203: "setreuid",
		204: "setregid",
		205: "getgroups",
		206: "setgroups",
		207: "fchown",
		208: "setresuid",
		209: "getresuid",
		210: "setresgid",
		211: "getresgid",
		212: "chown",
		213: "setuid",
		214: "setgid",
		215: "setfsuid",
		216: "setfsgid",
		217: "pivot_root",
		218: "mincore",
		219: "madvise",
		222: "readahead",
		224: "setxattr",
		225: "lsetxattr",
		226: "fsetxattr",
		227: "getxattr",
		228: "lgetxattr",
		229: "fgetxattr",
		230: "listxattr",
		231: "llistxattr",
		232: "flistxattr",
		233: "removexattr",
		234: "lremovexattr",
		235: "fremovexattr",
		236: "gettid",
		237: "tkill",
		238: "futex",
		239: "sched_setaffinity",
		240: "sched_getaffinity",
		241: "tgkill",
		243: "io_setup",
		244: "io_destroy",
		245: "io_getevents",
		246: "io_submit",
		247: "io_cancel",
		248: "exit_group",
		249: "epoll_create",
		250: "epoll_ctl",
		251: "epoll_wait",
		252: "set_tid_address",
		253: "fadvise64",
		254: "timer_create",
		255: "timer_settime",
		256: "timer_gettime",
		257: "timer_getoverrun",
		258: "timer_delete",
		259: "clock_settime",
		260: "clock_gettime",
		261: "clock_getres",
		262: "clock_nanosleep",
		265: "statfs64",
		266: "fstatfs64",
		267: "remap_file_pages",
		271: "mq_open",
		272: "mq_unlink",
		273: "mq_timedsend",
		274: "mq_timedreceive",
		275: "mq_notify",
		276: "mq_getsetattr",
		277: "kexec_load",
		278: "add_key",
		279: "request_key",
		280: "keyctl",
		281: "waitid",
		282: "ioprio_set",
		283: "ioprio_get",
		284: "inotify_init",
		285: "inotify_add_watch",
		286: "inotify_rm_watch",
		288: "openat",
		289: "mkdirat",
		290: "mknodat",
		291: "fchownat",
		292: "futimesat",
		293: "newfstatat",
		294: "unlinkat",
		295: "renameat",
		296: "linkat",
		297: "symlinkat",
		298: "readlinkat",
		299: "fchmodat",
		300: "faccessat",
		301: "pselect6",
		302: "ppoll",
		303: "unshare",
		304: "set_robust_list",
		305: "get_robust_list",
		306: "splice",
		307: "sync_file_range",
		308: "tee",
		309: "vmsplice",
		311: "getcpu",
		312: "epoll_pwait",
		313: "utimes",
		314: "fallocate",
		315: "utimensat",
		316: "signalfd",
		317: "timerfd",
		318: "eventfd",
		319: "timerfd_create",
		320: "timerfd_settime",
		321: "timerfd_gettime",
		322: "signalfd4",
		323: "eventfd2",
		324: "inotify_init1",
		325: "pipe2",
		326: "dup3",
		327: "epoll_create1",
		328: "preadv",
		329: "pwritev",
		330: "rt_tgsigqueueinfo",
		331: "perf_event_open",
		332: "fanotify_init",
		333: "fanotify_mark",
		334: "prlimit64",
		335: "name_to_handle_at",
		336: "open_by_handle_at",
		337: "clock_adjtime",
		338: "syncfs",
		339: "setns",
		340: "process_vm_readv",
		341: "process_vm_writev",
		342: "s390_runtime_instr",
		343: "kcmp",
		344: "finit_module",
		345: "sched_setattr",
		346: "sched_getattr",
		347: "renameat2",
		348: "seccomp",
		349: "getrandom",
		350: "memfd_create",
		351: "bpf",
		352: "s390_pci_mmio_write",
		353: "s390_pci_mmio_read",
		354: "execveat",
		355: "userfaultfd",
		356: "membarrier",
		357: "recvmmsg",
		358: "sendmmsg",
		359: "socket",
		360: "socketpair",
		361: "bind",
		362: "connect",
		363: "listen",
		364: "accept4",
		365: "getsockopt",
		366: "setsockopt",
		367: "getsockname",
		368: "getpeername",
		369: "sendto",
		370: "sendmsg",
		371: "recvfrom",
		372: "recvmsg",
		373: "shutdown",
		374: "mlock2",
		375: "copy_file_range",
	},
	"x86_64": {
		0:   "read",
		1:   "write",
		2:   "open",
		3:   "close",
		4:   "stat",
		5:   "fstat",
		6:   "lstat",
		7:   "poll",
		8:   "lseek",
		9:   "mmap",
		10:  "mprotect",
		11:  "munmap",
		12:  "brk",
		13:  "rt_sigaction",
		14:  "rt_sigprocmask",
		15:  "rt_sigreturn",
		16:  "ioctl",
		17:  "pread",
		18:  "pwrite",
		19:  "readv",
		20:  "writev",
		21:  "access",
		22:  "pipe",
		23:  "select",
		24:  "sched_yield",
		25:  "mremap",
		26:  "msync",
		27:  "mincore",
		28:  "madvise",
		29:  "shmget",
		30:  "shmat",
		31:  "shmctl",
		32:  "dup",
		33:  "dup2",
		34:  "pause",
		35:  "nanosleep",
		36:  "getitimer",
		37:  "alarm",
		38:  "setitimer",
		39:  "getpid",
		40:  "sendfile",
		41:  "socket",
		42:  "connect",
		43:  "accept",
		44:  "sendto",
		45:  "recvfrom",
		46:  "sendmsg",
		47:  "recvmsg",
		48:  "shutdown",
		49:  "bind",
		50:  "listen",
		51:  "getsockname",
		52:  "getpeername",
		53:  "socketpair",
		54:  "setsockopt",
		55:  "getsockopt",
		56:  "clone",
		57:  "fork",
		58:  "vfork",
		59:  "execve",
		60:  "exit",
		61:  "wait4",
		62:  "kill",
		63:  "uname",
		64:  "semget",
		65:  "semop",
		66:  "semctl",
		67:  "shmdt",
		68:  "msgget",
		69:  "msgsnd",
		70:  "msgrcv",
		71:  "msgctl",
		72:  "fcntl",
		73:  "flock",
		74:  "fsync",
		75:  "fdatasync",
		76:  "truncate",
		77:  "ftruncate",
		78:  "getdents",
		79:  "getcwd",
		80:  "chdir",
		81:  "fchdir",
		82:  "rename",
		83:  "mkdir",
		84:  "rmdir",
		85:  "creat",
		86:  "link",
		87:  "unlink",
		88:  "symlink",
		89:  "readlink",
		90:  "chmod",
		91:  "fchmod",
		92:  "chown",
		93:  "fchown",
		94:  "lchown",
		95:  "umask",
		96:  "gettimeofday",
		97:  "getrlimit",
		98:  "getrusage",
		99:  "sysinfo",
		100: "times",
		101: "ptrace",
		102: "getuid",
		103: "syslog",
		104: "getgid",
		105: "setuid",
		106: "setgid",
		107: "geteuid",
		108: "getegid",
		109: "setpgid",
		110: "getppid",
		111: "getpgrp",
		112: "setsid",
		113: "setreuid",
		114: "setregid",
		115: "getgroups",
		116: "setgroups",
		117: "setresuid",
		118: "getresuid",
		119: "setresgid",
		120: "getresgid",
		121: "getpgid",
		122: "setfsuid",
		123: "setfsgid",
		124: "getsid",
		125: "capget",
		126: "capset",
		127: "rt_sigpending",
		128: "rt_sigtimedwait",
		129: "rt_sigqueueinfo",
		130: "rt_sigsuspend",
		131: "sigaltstack",
		132: "utime",
		133: "mknod",
		134: "uselib",
		135: "personality",
		136: "ustat",
		137: "statfs",
		138: "fstatfs",
		139: "sysfs",
		140: "getpriority",
		141: "setpriority",
		142: "sched_setparam",
		143: "sched_getparam",
		144: "sched_setscheduler",
		145: "sched_getscheduler",
		146: "sched_get_priority_max",
		147: "sched_get_priority_min",
		148: "sched_rr_get_interval",
		149: "mlock",
		150: "munlock",
		151: "mlockall",
		152: "munlockall",
		153: "vhangup",
		154: "modify_ldt",
		155: "pivot_root",
		156: "_sysctl",
		157: "prctl",
		158: "arch_prctl",
		159: "adjtimex",
		160: "setrlimit",
		161: "chroot",
		162: "sync",
		163: "acct",
		164: "settimeofday",
		165: "mount",
		166: "umount2",
		167: "swapon",
		168: "swapoff",
		169: "reboot",
		170: "sethostname",
		171: "setdomainname",
		172: "iopl",
		173: "ioperm",
		174: "create_module",
		175: "init_module",
		176: "delete_module",
		177: "get_kernel_syms",
		178: "query_module",
		179: "quotactl",
		180: "nfsservctl",
		181: "getpmsg",
		182: "putpmsg",
		183: "afs_syscall",
		184: "tuxcall",
		185: "security",
		186: "gettid",
		187: "readahead",
		188: "setxattr",
		189: "lsetxattr",
		190: "fsetxattr",
		191: "getxattr",
		192: "lgetxattr",
		193: "fgetxattr",
		194: "listxattr",
		195: "llistxattr",
		196: "flistxattr",
		197: "removexattr",
		198: "lremovexattr",
		199: "fremovexattr",
		200: "tkill",
		201: "time",
		202: "futex",
		203: "sched_setaffinity",
		204: "sched_getaffinity",
		205: "set_thread_area",
		206: "io_setup",
		207: "io_destroy",
		208: "io_getevents",
		209: "io_submit",
		210: "io_cancel",
		211: "get_thread_area",
		212: "lookup_dcookie",
		213: "epoll_create",
		214: "epoll_ctl_old",
		215: "epoll_wait_old",
		216: "remap_file_pages",
		217: "getdents64",
		218: "set_tid_address",
		219: "restart_syscall",
		220: "semtimedop",
		221: "fadvise64",
		222: "timer_create",
		223: "timer_settime",
		224: "timer_gettime",
		225: "timer_getoverrun",
		226: "timer_delete",
		227: "clock_settime",
		228: "clock_gettime",
		229: "clock_getres",
		230: "clock_nanosleep",
		231: "exit_group",
		232: "epoll_wait",
		233: "epoll_ctl",
		234: "tgkill",
		235: "utimes",
		236: "vserver",
		237: "mbind",
		238: "set_mempolicy",
		239: "get_mempolicy",
		240: "mq_open",
		241: "mq_unlink",
		242: "mq_timedsend",
		243: "mq_timedreceive",
		244: "mq_notify",
		245: "mq_getsetattr",
		246: "kexec_load",
		247: "waitid",
		248: "add_key",
		249: "request_key",
		250: "keyctl",
		251: "ioprio_set",
		252: "ioprio_get",
		253: "inotify_init",
		254: "inotify_add_watch",
		255: "inotify_rm_watch",
		256: "migrate_pages",
		257: "openat",
		258: "mkdirat",
		259: "mknodat",
		260: "fchownat",
		261: "futimesat",
		262: "newfstatat",
		263: "unlinkat",
		264: "renameat",
		265: "linkat",
		266: "symlinkat",
		267: "readlinkat",
		268: "fchmodat",
		269: "faccessat",
		270: "pselect6",
		271: "ppoll",
		272: "unshare",
		273: "set_robust_list",
		274: "get_robust_list",
		275: "splice",
		276: "tee",
		277: "sync_file_range",
		278: "vmsplice",
		279: "move_pages",
		280: "utimensat",
		281: "epoll_pwait",
		282: "signalfd",
		283: "timerfd",
		284: "eventfd",
		285: "fallocate",
		286: "timerfd_settime",
		287: "timerfd_gettime",
		288: "accept4",
		289: "signalfd4",
		290: "eventfd2",
		291: "epoll_create1",
		292: "dup3",
		293: "pipe2",
		294: "inotify_init1",
		295: "preadv",
		296: "pwritev",
		297: "rt_tgsigqueueinfo",
		298: "perf_event_open",
		299: "recvmmsg",
		300: "fanotify_init",
		301: "fanotify_mark",
		302: "prlimit64",
		303: "name_to_handle_at",
		304: "open_by_handle_at",
		305: "clock_adjtime",
		306: "syncfs",
		307: "sendmmsg",
		308: "setns",
		309: "getcpu",
		310: "process_vm_readv",
		311: "process_vm_writev",
		312: "kcmp",
		313: "finit_module",
		314: "sched_setattr",
		315: "sched_getattr",
		316: "renameat2",
		317: "seccomp",
		318: "getrandom",
		319: "memfd_create",
		320: "kexec_file_load",
		321: "bpf",
		322: "execveat",
		323: "userfaultfd",
		324: "membarrier",
		325: "mlock2",
		326: "copy_file_range",
	},
}

AuditSyscalls is a mapping of arch names to tables of syscall numbers to names. For example, x86_64 -> 165 = "mount".

Functions

This section is empty.

Types

type AuditArch added in v0.0.4

type AuditArch uint32
const (
	AUDIT_ARCH_AARCH64     AuditArch = 0xc00000b7
	AUDIT_ARCH_ARM         AuditArch = 0x40000028
	AUDIT_ARCH_ARMEB       AuditArch = 0x28
	AUDIT_ARCH_CRIS        AuditArch = 0x4000004c
	AUDIT_ARCH_FRV         AuditArch = 0x5441
	AUDIT_ARCH_I386        AuditArch = 0x40000003
	AUDIT_ARCH_IA64        AuditArch = 0xc0000032
	AUDIT_ARCH_M32R        AuditArch = 0x58
	AUDIT_ARCH_M68K        AuditArch = 0x4
	AUDIT_ARCH_MIPS        AuditArch = 0x8
	AUDIT_ARCH_MIPS64      AuditArch = 0x80000008
	AUDIT_ARCH_MIPS64N32   AuditArch = 0xa0000008
	AUDIT_ARCH_MIPSEL      AuditArch = 0x40000008
	AUDIT_ARCH_MIPSEL64    AuditArch = 0xc0000008
	AUDIT_ARCH_MIPSEL64N32 AuditArch = 0xe0000008
	AUDIT_ARCH_PARISC      AuditArch = 0xf
	AUDIT_ARCH_PARISC64    AuditArch = 0x8000000f
	AUDIT_ARCH_PPC         AuditArch = 0x14
	AUDIT_ARCH_PPC64       AuditArch = 0x80000015
	AUDIT_ARCH_PPC64LE     AuditArch = 0xc0000015
	AUDIT_ARCH_S390        AuditArch = 0x16
	AUDIT_ARCH_S390X       AuditArch = 0x80000016
	AUDIT_ARCH_SH          AuditArch = 0x2a
	AUDIT_ARCH_SH64        AuditArch = 0x8000002a
	AUDIT_ARCH_SHEL        AuditArch = 0x4000002a
	AUDIT_ARCH_SHEL64      AuditArch = 0xc000002a
	AUDIT_ARCH_SPARC       AuditArch = 0x2
	AUDIT_ARCH_SPARC64     AuditArch = 0x8000002b
	AUDIT_ARCH_X86_64      AuditArch = 0xc000003e
)

func (AuditArch) String added in v0.0.4

func (a AuditArch) String() string

type AuditMessage

type AuditMessage struct {
	RecordType AuditMessageType // Record type from netlink header.
	Timestamp  time.Time        // Timestamp parsed from payload in netlink message.
	Sequence   uint32           // Sequence parsed from payload.
	RawData    string           // Raw message as a string.
	// contains filtered or unexported fields
}

AuditMessage represents a single audit message.

func Parse

func Parse(typ AuditMessageType, message string) (*AuditMessage, error)

Parse parses an audit message in the format it was received from the kernel. It expects a message type, which is the message type value from the netlink header, and a message, which is raw data from the netlink message. The message should begin the the audit header that contains the timestamp and sequence number -- "audit(1488862769.030:19469538)".

A non-nil error is returned if it fails to parse the message header (timestamp, sequence).

func ParseLogLine

func ParseLogLine(line string) (*AuditMessage, error)

ParseLogLine parses an audit message as logged by the Linux audit daemon. It expects logs line that begin with the message type. For example, "type=SYSCALL msg=audit(1488862769.030:19469538)". A non-nil error is returned if it fails to parse the message header (type, timestamp, sequence).

Example

ExampleParseLogLine demonstrates parsing a log line from auditd and shows what the parsed data looks like.

msg, err := ParseLogLine(syscallLogLine)
if err != nil {
	return
}

evt, err := json.MarshalIndent(msg.ToMapStr(), "", "  ")
if err != nil {
	return
}

fmt.Println(string(evt))
Output:

{
  "@timestamp": "2017-03-21 23:12:51.011 +0000 UTC",
  "a0": "15",
  "a1": "7ffd83722200",
  "a2": "6e",
  "a3": "ea60",
  "arch": "x86_64",
  "auid": "unset",
  "comm": "master",
  "egid": "0",
  "euid": "0",
  "exe": "/usr/libexec/postfix/master",
  "exit": "0",
  "fsgid": "0",
  "fsuid": "0",
  "gid": "0",
  "items": "1",
  "pid": "1229",
  "ppid": "1",
  "raw_msg": "audit(1490137971.011:50406): arch=c000003e syscall=42 success=yes exit=0 a0=15 a1=7ffd83722200 a2=6e a3=ea60 items=1 ppid=1 pid=1229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"master\" exe=\"/usr/libexec/postfix/master\" subj=system_u:system_r:postfix_master_t:s0 key=(null)",
  "record_type": "SYSCALL",
  "result": "success",
  "sequence": "50406",
  "ses": "unset",
  "sgid": "0",
  "subj_domain": "postfix_master_t",
  "subj_level": "s0",
  "subj_role": "system_r",
  "subj_user": "system_u",
  "suid": "0",
  "syscall": "connect",
  "tty": "(none)",
  "uid": "0"
}

func (*AuditMessage) Data

func (m *AuditMessage) Data() (map[string]string, error)

Data returns the key-value pairs that are contained in the audit message. This information is parsed from the raw message text the first time this method is called, all future invocations return the stored result. A nil map may be returned error is non-nil. A non-nil error is returned if there was a failure parsing or enriching the data.

func (*AuditMessage) Tags added in v0.0.7

func (m *AuditMessage) Tags() ([]string, error)

func (*AuditMessage) ToMapStr

func (m *AuditMessage) ToMapStr() map[string]interface{}

ToMapStr returns a new map containing the parsed key value pairs, the record_type, @timestamp, and sequence. The parsed key value pairs have a lower precedence than the well-known keys and will not override them. If an error occurred while parsing the message then an error key will be present.

type AuditMessageType

type AuditMessageType uint16

AuditMessageType represents an audit message type used by the kernel.

const (
	AUDIT_GET                      AuditMessageType = 1000
	AUDIT_SET                      AuditMessageType = 1001
	AUDIT_LIST                     AuditMessageType = 1002
	AUDIT_ADD                      AuditMessageType = 1003
	AUDIT_DEL                      AuditMessageType = 1004
	AUDIT_USER                     AuditMessageType = 1005
	AUDIT_LOGIN                    AuditMessageType = 1006
	AUDIT_WATCH_INS                AuditMessageType = 1007
	AUDIT_WATCH_REM                AuditMessageType = 1008
	AUDIT_WATCH_LIST               AuditMessageType = 1009
	AUDIT_SIGNAL_INFO              AuditMessageType = 1010
	AUDIT_ADD_RULE                 AuditMessageType = 1011
	AUDIT_DEL_RULE                 AuditMessageType = 1012
	AUDIT_LIST_RULES               AuditMessageType = 1013
	AUDIT_TRIM                     AuditMessageType = 1014
	AUDIT_MAKE_EQUIV               AuditMessageType = 1015
	AUDIT_TTY_GET                  AuditMessageType = 1016
	AUDIT_TTY_SET                  AuditMessageType = 1017
	AUDIT_SET_FEATURE              AuditMessageType = 1018
	AUDIT_GET_FEATURE              AuditMessageType = 1019
	AUDIT_USER_AUTH                AuditMessageType = 1100
	AUDIT_USER_ACCT                AuditMessageType = 1101
	AUDIT_USER_MGMT                AuditMessageType = 1102
	AUDIT_CRED_ACQ                 AuditMessageType = 1103
	AUDIT_CRED_DISP                AuditMessageType = 1104
	AUDIT_USER_START               AuditMessageType = 1105
	AUDIT_USER_END                 AuditMessageType = 1106
	AUDIT_USER_AVC                 AuditMessageType = 1107
	AUDIT_USER_CHAUTHTOK           AuditMessageType = 1108
	AUDIT_USER_ERR                 AuditMessageType = 1109
	AUDIT_CRED_REFR                AuditMessageType = 1110
	AUDIT_USYS_CONFIG              AuditMessageType = 1111
	AUDIT_USER_LOGIN               AuditMessageType = 1112
	AUDIT_USER_LOGOUT              AuditMessageType = 1113
	AUDIT_ADD_USER                 AuditMessageType = 1114
	AUDIT_DEL_USER                 AuditMessageType = 1115
	AUDIT_ADD_GROUP                AuditMessageType = 1116
	AUDIT_DEL_GROUP                AuditMessageType = 1117
	AUDIT_DAC_CHECK                AuditMessageType = 1118
	AUDIT_CHGRP_ID                 AuditMessageType = 1119
	AUDIT_TEST                     AuditMessageType = 1120
	AUDIT_TRUSTED_APP              AuditMessageType = 1121
	AUDIT_USER_SELINUX_ERR         AuditMessageType = 1122
	AUDIT_USER_CMD                 AuditMessageType = 1123
	AUDIT_USER_TTY                 AuditMessageType = 1124
	AUDIT_CHUSER_ID                AuditMessageType = 1125
	AUDIT_GRP_AUTH                 AuditMessageType = 1126
	AUDIT_SYSTEM_BOOT              AuditMessageType = 1127
	AUDIT_SYSTEM_SHUTDOWN          AuditMessageType = 1128
	AUDIT_SYSTEM_RUNLEVEL          AuditMessageType = 1129
	AUDIT_SERVICE_START            AuditMessageType = 1130
	AUDIT_SERVICE_STOP             AuditMessageType = 1131
	AUDIT_GRP_MGMT                 AuditMessageType = 1132
	AUDIT_GRP_CHAUTHTOK            AuditMessageType = 1133
	AUDIT_MAC_CHECK                AuditMessageType = 1134
	AUDIT_ACCT_LOCK                AuditMessageType = 1135
	AUDIT_ACCT_UNLOCK              AuditMessageType = 1136
	AUDIT_LAST_USER_MSG            AuditMessageType = 1199
	AUDIT_DAEMON_START             AuditMessageType = 1200
	AUDIT_DAEMON_END               AuditMessageType = 1201
	AUDIT_DAEMON_ABORT             AuditMessageType = 1202
	AUDIT_DAEMON_CONFIG            AuditMessageType = 1203
	AUDIT_DAEMON_RECONFIG          AuditMessageType = 1204
	AUDIT_DAEMON_ROTATE            AuditMessageType = 1205
	AUDIT_DAEMON_RESUME            AuditMessageType = 1206
	AUDIT_DAEMON_ACCEPT            AuditMessageType = 1207
	AUDIT_DAEMON_CLOSE             AuditMessageType = 1208
	AUDIT_DAEMON_ERR               AuditMessageType = 1209
	AUDIT_LAST_DAEMON              AuditMessageType = 1299
	AUDIT_SYSCALL                  AuditMessageType = 1300
	AUDIT_PATH                     AuditMessageType = 1302
	AUDIT_IPC                      AuditMessageType = 1303
	AUDIT_SOCKETCALL               AuditMessageType = 1304
	AUDIT_CONFIG_CHANGE            AuditMessageType = 1305
	AUDIT_SOCKADDR                 AuditMessageType = 1306
	AUDIT_CWD                      AuditMessageType = 1307
	AUDIT_EXECVE                   AuditMessageType = 1309
	AUDIT_IPC_SET_PERM             AuditMessageType = 1311
	AUDIT_MQ_OPEN                  AuditMessageType = 1312
	AUDIT_MQ_SENDRECV              AuditMessageType = 1313
	AUDIT_MQ_NOTIFY                AuditMessageType = 1314
	AUDIT_MQ_GETSETATTR            AuditMessageType = 1315
	AUDIT_KERNEL_OTHER             AuditMessageType = 1316
	AUDIT_FD_PAIR                  AuditMessageType = 1317
	AUDIT_OBJ_PID                  AuditMessageType = 1318
	AUDIT_TTY                      AuditMessageType = 1319
	AUDIT_EOE                      AuditMessageType = 1320
	AUDIT_BPRM_FCAPS               AuditMessageType = 1321
	AUDIT_CAPSET                   AuditMessageType = 1322
	AUDIT_MMAP                     AuditMessageType = 1323
	AUDIT_NETFILTER_PKT            AuditMessageType = 1324
	AUDIT_NETFILTER_CFG            AuditMessageType = 1325
	AUDIT_SECCOMP                  AuditMessageType = 1326
	AUDIT_PROCTITLE                AuditMessageType = 1327
	AUDIT_FEATURE_CHANGE           AuditMessageType = 1328
	AUDIT_REPLACE                  AuditMessageType = 1329
	AUDIT_KERN_MODULE              AuditMessageType = 1330
	AUDIT_LAST_EVENT               AuditMessageType = 1399
	AUDIT_AVC                      AuditMessageType = 1400
	AUDIT_SELINUX_ERR              AuditMessageType = 1401
	AUDIT_AVC_PATH                 AuditMessageType = 1402
	AUDIT_MAC_POLICY_LOAD          AuditMessageType = 1403
	AUDIT_MAC_STATUS               AuditMessageType = 1404
	AUDIT_MAC_CONFIG_CHANGE        AuditMessageType = 1405
	AUDIT_MAC_UNLBL_ALLOW          AuditMessageType = 1406
	AUDIT_MAC_CIPSOV4_ADD          AuditMessageType = 1407
	AUDIT_MAC_CIPSOV4_DEL          AuditMessageType = 1408
	AUDIT_MAC_MAP_ADD              AuditMessageType = 1409
	AUDIT_MAC_MAP_DEL              AuditMessageType = 1410
	AUDIT_MAC_IPSEC_ADDSA          AuditMessageType = 1411
	AUDIT_MAC_IPSEC_DELSA          AuditMessageType = 1412
	AUDIT_MAC_IPSEC_ADDSPD         AuditMessageType = 1413
	AUDIT_MAC_IPSEC_DELSPD         AuditMessageType = 1414
	AUDIT_MAC_IPSEC_EVENT          AuditMessageType = 1415
	AUDIT_MAC_UNLBL_STCADD         AuditMessageType = 1416
	AUDIT_MAC_UNLBL_STCDEL         AuditMessageType = 1417
	AUDIT_LAST_SELINUX             AuditMessageType = 1499
	AUDIT_AA                       AuditMessageType = 1500
	AUDIT_APPARMOR_AUDIT           AuditMessageType = 1501
	AUDIT_APPARMOR_ALLOWED         AuditMessageType = 1502
	AUDIT_APPARMOR_DENIED          AuditMessageType = 1503
	AUDIT_APPARMOR_HINT            AuditMessageType = 1504
	AUDIT_APPARMOR_STATUS          AuditMessageType = 1505
	AUDIT_APPARMOR_ERROR           AuditMessageType = 1506
	AUDIT_LAST_APPARMOR            AuditMessageType = 1599
	AUDIT_FIRST_KERN_CRYPTO_MSG    AuditMessageType = 1600
	AUDIT_LAST_KERN_CRYPTO_MSG     AuditMessageType = 1699
	AUDIT_ANOM_PROMISCUOUS         AuditMessageType = 1700
	AUDIT_ANOM_ABEND               AuditMessageType = 1701
	AUDIT_ANOM_LINK                AuditMessageType = 1702
	AUDIT_LAST_KERN_ANOM_MSG       AuditMessageType = 1799
	AUDIT_INTEGRITY_DATA           AuditMessageType = 1800
	AUDIT_INTEGRITY_METADATA       AuditMessageType = 1801
	AUDIT_INTEGRITY_STATUS         AuditMessageType = 1802
	AUDIT_INTEGRITY_HASH           AuditMessageType = 1803
	AUDIT_INTEGRITY_PCR            AuditMessageType = 1804
	AUDIT_INTEGRITY_RULE           AuditMessageType = 1805
	AUDIT_INTEGRITY_LAST_MSG       AuditMessageType = 1899
	AUDIT_KERNEL                   AuditMessageType = 2000
	AUDIT_ANOM_LOGIN_FAILURES      AuditMessageType = 2100
	AUDIT_ANOM_LOGIN_TIME          AuditMessageType = 2101
	AUDIT_ANOM_LOGIN_SESSIONS      AuditMessageType = 2102
	AUDIT_ANOM_LOGIN_ACCT          AuditMessageType = 2103
	AUDIT_ANOM_LOGIN_LOCATION      AuditMessageType = 2104
	AUDIT_ANOM_MAX_DAC             AuditMessageType = 2105
	AUDIT_ANOM_MAX_MAC             AuditMessageType = 2106
	AUDIT_ANOM_AMTU_FAIL           AuditMessageType = 2107
	AUDIT_ANOM_RBAC_FAIL           AuditMessageType = 2108
	AUDIT_ANOM_RBAC_INTEGRITY_FAIL AuditMessageType = 2109
	AUDIT_ANOM_CRYPTO_FAIL         AuditMessageType = 2110
	AUDIT_ANOM_ACCESS_FS           AuditMessageType = 2111
	AUDIT_ANOM_EXEC                AuditMessageType = 2112
	AUDIT_ANOM_MK_EXEC             AuditMessageType = 2113
	AUDIT_ANOM_ADD_ACCT            AuditMessageType = 2114
	AUDIT_ANOM_DEL_ACCT            AuditMessageType = 2115
	AUDIT_ANOM_MOD_ACCT            AuditMessageType = 2116
	AUDIT_ANOM_ROOT_TRANS          AuditMessageType = 2117
	AUDIT_LAST_ANOM_MSG            AuditMessageType = 2199
	AUDIT_RESP_ANOMALY             AuditMessageType = 2200
	AUDIT_RESP_ALERT               AuditMessageType = 2201
	AUDIT_RESP_KILL_PROC           AuditMessageType = 2202
	AUDIT_RESP_TERM_ACCESS         AuditMessageType = 2203
	AUDIT_RESP_ACCT_REMOTE         AuditMessageType = 2204
	AUDIT_RESP_ACCT_LOCK_TIMED     AuditMessageType = 2205
	AUDIT_RESP_ACCT_UNLOCK_TIMED   AuditMessageType = 2206
	AUDIT_RESP_ACCT_LOCK           AuditMessageType = 2207
	AUDIT_RESP_TERM_LOCK           AuditMessageType = 2208
	AUDIT_RESP_SEBOOL              AuditMessageType = 2209
	AUDIT_RESP_EXEC                AuditMessageType = 2210
	AUDIT_RESP_SINGLE              AuditMessageType = 2211
	AUDIT_RESP_HALT                AuditMessageType = 2212
	AUDIT_LAST_ANOM_RESP           AuditMessageType = 2299
	AUDIT_USER_ROLE_CHANGE         AuditMessageType = 2300
	AUDIT_ROLE_ASSIGN              AuditMessageType = 2301
	AUDIT_ROLE_REMOVE              AuditMessageType = 2302
	AUDIT_LABEL_OVERRIDE           AuditMessageType = 2303
	AUDIT_LABEL_LEVEL_CHANGE       AuditMessageType = 2304
	AUDIT_USER_LABELED_EXPORT      AuditMessageType = 2305
	AUDIT_USER_UNLABELED_EXPORT    AuditMessageType = 2306
	AUDIT_DEV_ALLOC                AuditMessageType = 2307
	AUDIT_DEV_DEALLOC              AuditMessageType = 2308
	AUDIT_FS_RELABEL               AuditMessageType = 2309
	AUDIT_USER_MAC_POLICY_LOAD     AuditMessageType = 2310
	AUDIT_ROLE_MODIFY              AuditMessageType = 2311
	AUDIT_USER_MAC_CONFIG_CHANGE   AuditMessageType = 2312
	AUDIT_LAST_USER_LSPP_MSG       AuditMessageType = 2399
	AUDIT_CRYPTO_TEST_USER         AuditMessageType = 2400
	AUDIT_CRYPTO_PARAM_CHANGE_USER AuditMessageType = 2401
	AUDIT_CRYPTO_LOGIN             AuditMessageType = 2402
	AUDIT_CRYPTO_LOGOUT            AuditMessageType = 2403
	AUDIT_CRYPTO_KEY_USER          AuditMessageType = 2404
	AUDIT_CRYPTO_FAILURE_USER      AuditMessageType = 2405
	AUDIT_CRYPTO_REPLAY_USER       AuditMessageType = 2406
	AUDIT_CRYPTO_SESSION           AuditMessageType = 2407
	AUDIT_CRYPTO_IKE_SA            AuditMessageType = 2408
	AUDIT_CRYPTO_IPSEC_SA          AuditMessageType = 2409
	AUDIT_LAST_CRYPTO_MSG          AuditMessageType = 2499
	AUDIT_VIRT_CONTROL             AuditMessageType = 2500
	AUDIT_VIRT_RESOURCE            AuditMessageType = 2501
	AUDIT_VIRT_MACHINE_ID          AuditMessageType = 2502
	AUDIT_VIRT_INTEGRITY_CHECK     AuditMessageType = 2503
	AUDIT_VIRT_CREATE              AuditMessageType = 2504
	AUDIT_VIRT_DESTROY             AuditMessageType = 2505
	AUDIT_VIRT_MIGRATE_IN          AuditMessageType = 2506
	AUDIT_VIRT_MIGRATE_OUT         AuditMessageType = 2507
	AUDIT_LAST_VIRT_MSG            AuditMessageType = 2599
	AUDIT_LAST_USER_MSG2           AuditMessageType = 2999
)

List of AuditMessageTypes.

func GetAuditMessageType

func GetAuditMessageType(name string) (AuditMessageType, error)

GetAuditMessageType accepts a type name and returns its numerical representation. If the name is unknown and error is returned.

func (AuditMessageType) MarshalText added in v0.0.3

func (t AuditMessageType) MarshalText() (text []byte, err error)

func (AuditMessageType) String

func (t AuditMessageType) String() string

func (*AuditMessageType) UnmarshalText added in v0.0.7

func (t *AuditMessageType) UnmarshalText(text []byte) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL