1AUDIT_ADD_RULE_DATA(3) Linux Audit API AUDIT_ADD_RULE_DATA(3)
2
6 audit_add_rule_data - Add new audit rule
7
9 #include <libaudit.h>
10 int audit_add_rule_data(int fd, struct audit_rule_data *rule, int
12 flags, int action);
13
16 audit_add_rule_data adds an audit rule previously constructed with au‐
17 dit_rule_fieldpair_data(3) to one of several kernel event filters. The
18 filter is specified by the flags argument. Possible values for flags
19 are:
20 • AUDIT_FILTER_USER - Apply rule to userspace generated messages. This
23 is the user filter. Normally all user space originating events are
24 accepted. Rules on this filter are typically written to block spe‐
25 cific events.
26 • AUDIT_FILTER_TASK - Apply rule at task creation (not syscall). This
28 is the task filter. It's normally used to exclude an application
29 from being audited.
30 • AUDIT_FILTER_EXIT - Apply rule at syscall exit. This is the main
32 filter that is used for syscalls and filesystem watches. Normally
33 all syscall do not trigger events, so this is normally used to spec‐
34 ify events that are of interest.
35 • AUDIT_FILTER_EXCLUDE - Apply rule at audit_log_start. This is the
37 exclude filter which discards any records that match. The action
38 type is ignored for this filter, defaulting to "never".
39 • AUDIT_FILTER_FS - Apply rule when adding PATH auxiliary records
41 to SYSCALL events. This is the filesystem filter. This is used
42 to ignore PATH records that are not of interest.
43 The rule's action has two possible values:
45 • AUDIT_NEVER - Do not build context if rule matches.
48 • AUDIT_ALWAYS - Generate audit record if rule matches.
50
52 The return value is <= 0 on error, otherwise it is the netlink sequence
53 id number. This function can have any error that sendto would en‐
54 counter.
55
58 audit_rule_fieldpair_data(3), audit_delete_rule_data(3), auditctl(8).
59
62 Steve Grubb.
63Red Hat Aug 2009 AUDIT_ADD_RULE_DATA(3)