AUDIT_ADD_RULE_DATA(3)         Linux Audit API        AUDIT_ADD_RULE_DATA(3)

NAME         top

       audit_add_rule_data - Add new audit rule

SYNOPSIS         top

       #include <libaudit.h>

       int audit_add_rule_data (int fd, struct audit_rule_data *rule, int
       flags, int action);

DESCRIPTION         top

       audit_add_rule adds an audit rule previously constructed with
       audit_rule_fieldpair_data(3) to one of several kernel event filters.
       The filter is specified by the flags argument. Possible values for
       flags are:

       ·  AUDIT_FILTER_USER - Apply rule to userspace generated messages.

       ·  AUDIT_FILTER_TASK - Apply rule at task creation (not syscall).

       ·  AUDIT_FILTER_EXIT - Apply rule at syscall exit.

       ·  AUDIT_FILTER_TYPE - Apply rule at audit_log_start.

       The rule's action has two possible values:

       ·  AUDIT_NEVER - Do not build context if rule matches.

       ·  AUDIT_ALWAYS - Generate audit record if rule matches.

RETURN VALUE         top

       The return value is <= 0 on error, otherwise it is the netlink
       sequence id number. This function can have any error that sendto
       would encounter.

SEE ALSO         top

       audit_rule_fieldpair_data(3), audit_delete_rule_data(3), auditctl(8).

AUTHOR         top

       Steve Grubb.

COLOPHON         top

       This page is part of the audit (Linux Audit) project.  Information
       about the project can be found at 
       ⟨⟩.  If you have a bug report
       for this manual page, send it to  This page
       was obtained from the project's upstream Git repository 
       ⟨⟩ on 2017-05-03.
       If you discover any rendering problems in this HTML version of the
       page, or you believe there is a better or more up-to-date source for
       the page, or you have corrections or improvements to the information
       in this COLOPHON (which is not part of the original manual page),
       send a mail to

Red Hat                           Aug 2009            AUDIT_ADD_RULE_DATA(3)

Pages that refer to this page: audit_add_watch(3)audit_delete_rule_data(3)audit_request_rules_list_data(3)audit_set_enabled(3)audit_update_watch_perms(3)