audit_add_rule_data

AUDIT_ADD_RULE_DATA(3)          Linux Audit API         AUDIT_ADD_RULE_DATA(3)



NAME
       audit_add_rule_data - Add new audit rule

SYNOPSIS
       #include <libaudit.h>

       int audit_add_rule_data (int fd, struct audit_rule_data *rule, int
       flags, int action);


DESCRIPTION
       audit_add_rule adds an audit rule to one of several kernel event
       filters. The filter is specified by the flags argument. Possible values
       for flags are:


       ·  AUDIT_FILTER_USER - Apply rule to userspace generated messages.

       ·  AUDIT_FILTER_TASK - Apply rule at task creation (not syscall).

       ·  AUDIT_FILTER_ENTRY - Apply rule at syscall entry.

       ·  AUDIT_FILTER_WATCH - Apply rule to file system watches.

       ·  AUDIT_FILTER_EXIT - Apply rule at syscall exit.

       ·  AUDIT_FILTER_TYPE - Apply rule at audit_log_start.

       The rule's action has two possible values:


       ·  AUDIT_NEVER - Do not build context if rule matches.

       ·  AUDIT_ALWAYS - Generate audit record if rule matches.

RETURN VALUE
       The return value is <= 0 on error, otherwise it is the netlink sequence
       id number. This function can have any error that sendto would
       encounter.


SEE ALSO
       audit_delete_rule_data(3), auditctl(8).


AUTHOR
       Steve Grubb.



Red Hat                            Oct 2006             AUDIT_ADD_RULE_DATA(3)