1AUDIT_ADD_RULE_DATA(3) Linux Audit API AUDIT_ADD_RULE_DATA(3)
2
3
4
6 audit_add_rule_data - Add new audit rule
7
9 #include <libaudit.h>
10
11 int audit_add_rule_data (int fd, struct audit_rule_data *rule, int
12 flags, int action);
13
14
16 audit_add_rule adds an audit rule to one of several kernel event fil‐
17 ters. The filter is specified by the flags argument. Possible values
18 for flags are:
19
20
21 · AUDIT_FILTER_USER - Apply rule to userspace generated messages.
22
23 · AUDIT_FILTER_TASK - Apply rule at task creation (not syscall).
24
25 · AUDIT_FILTER_ENTRY - Apply rule at syscall entry.
26
27 · AUDIT_FILTER_WATCH - Apply rule to file system watches.
28
29 · AUDIT_FILTER_EXIT - Apply rule at syscall exit.
30
31 · AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
32
33 The rule's action has two possible values:
34
35
36 · AUDIT_NEVER - Do not build context if rule matches.
37
38 · AUDIT_ALWAYS - Generate audit record if rule matches.
39
41 The return value is <= 0 on error, otherwise it is the netlink sequence
42 id number. This function can have any error that sendto would
43 encounter.
44
45
47 audit_delete_rule_data(3), audit_add_watch(3), auditctl(8).
48
49
51 Steve Grubb.
52
53
54
55Red Hat Oct 2006 AUDIT_ADD_RULE_DATA(3)