1AUDIT_ADD_RULE_DATA(3)          Linux Audit API         AUDIT_ADD_RULE_DATA(3)
2
3
4

NAME

6       audit_add_rule_data - Add new audit rule
7

SYNOPSIS

9       #include <libaudit.h>
10
11       int  audit_add_rule_data(int  fd,  struct  audit_rule_data  *rule,  int
12       flags, int action);
13
14

DESCRIPTION

16       audit_add_rule_data adds an audit rule previously constructed with  au‐
17       dit_rule_fieldpair_data(3)  to one of several kernel event filters. The
18       filter is specified by the flags argument. Possible  values  for  flags
19       are:
20
21
22       •  AUDIT_FILTER_USER - Apply rule to userspace generated messages. This
23          is the user filter. Normally all user space originating  events  are
24          accepted.  Rules  on this filter are typically written to block spe‐
25          cific events.
26
27       •  AUDIT_FILTER_TASK - Apply rule at task creation (not syscall).  This
28          is  the  task  filter.  It's normally used to exclude an application
29          from being audited.
30
31       •  AUDIT_FILTER_EXIT - Apply rule at syscall exit.  This  is  the  main
32          filter  that  is  used for syscalls and filesystem watches. Normally
33          all syscall do not trigger events, so this is normally used to spec‐
34          ify events that are of interest.
35
36       •  AUDIT_FILTER_EXCLUDE  -  Apply  rule at audit_log_start. This is the
37          exclude filter which discards any records that  match.   The  action
38          type is ignored for this filter, defaulting to "never".
39
40       •      AUDIT_FILTER_FS  - Apply rule when adding PATH auxiliary records
41              to SYSCALL events. This is the filesystem filter. This  is  used
42              to ignore PATH records that are not of interest.
43
44       The rule's action has two possible values:
45
46
47       •  AUDIT_NEVER - Do not build context if rule matches.
48
49       •  AUDIT_ALWAYS - Generate audit record if rule matches.
50

RETURN VALUE

52       The return value is <= 0 on error, otherwise it is the netlink sequence
53       id number. This function can have  any  error  that  sendto  would  en‐
54       counter.
55
56

SEE ALSO

58       audit_rule_fieldpair_data(3), audit_delete_rule_data(3), auditctl(8).
59
60

AUTHOR

62       Steve Grubb.
63
64
65
66Red Hat                            Aug 2009             AUDIT_ADD_RULE_DATA(3)
Impressum