audit_add_rule adds an audit rule previously constructed with
audit_rule_fieldpair_data(3) to one of several kernel event filters.
The filter is specified by the flags argument. Possible values for
· AUDIT_FILTER_USER - Apply rule to userspace generated messages.
· AUDIT_FILTER_TASK - Apply rule at task creation (not syscall).
· AUDIT_FILTER_EXIT - Apply rule at syscall exit.
· AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
The rule's action has two possible values:
· AUDIT_NEVER - Do not build context if rule matches.
· AUDIT_ALWAYS - Generate audit record if rule matches.
This page is part of the audit (Linux Audit) project. Information
about the project can be found at
⟨http://people.redhat.com/sgrubb/audit/⟩. If you have a bug report
for this manual page, send it to firstname.lastname@example.org. This page
was obtained from the project's upstream Git repository
⟨https://github.com/linux-audit/audit-userspace.git⟩ on 2017-03-13.
If you discover any rendering problems in this HTML version of the
page, or you believe there is a better or more up-to-date source for
the page, or you have corrections or improvements to the information
in this COLOPHON (which is not part of the original manual page),
send a mail to email@example.com
Red Hat Aug 2009 AUDIT_ADD_RULE_DATA(3)