AUDIT_ADD_RULE_DATA(3) Linux Audit API AUDIT_ADD_RULE_DATA(3)
audit_add_rule_data - Add new audit rule
#include <libaudit.h> int audit_add_rule_data(int fd, struct audit_rule_data *rule, int flags, int action);
audit_add_rule_data adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are: • AUDIT_FILTER_USER - Apply rule to userspace generated messages. This is the user filter. Normally all user space originating events are accepted. Rules on this filter are typically written to block specific events. • AUDIT_FILTER_TASK - Apply rule at task creation (not syscall). This is the task filter. It's normally used to exclude an application from being audited. • AUDIT_FILTER_EXIT - Apply rule at syscall exit. This is the main filter that is used for syscalls and filesystem watches. Normally all syscall do not trigger events, so this is normally used to specify events that are of interest. • AUDIT_FILTER_EXCLUDE - Apply rule at audit_log_start. This is the exclude filter which discards any records that match. The action type is ignored for this filter, defaulting to "never". • AUDIT_FILTER_FS - Apply rule when adding PATH auxiliary records to SYSCALL events. This is the filesystem filter. This is used to ignore PATH records that are not of interest. The rule's action has two possible values: • AUDIT_NEVER - Do not build context if rule matches. • AUDIT_ALWAYS - Generate audit record if rule matches.
The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter.
audit_rule_fieldpair_data(3), audit_delete_rule_data(3), auditctl(8).
This page is part of the audit (Linux Audit) project. Information about the project can be found at ⟨http://people.redhat.com/sgrubb/audit/⟩. If you have a bug report for this manual page, send it to email@example.com. This page was obtained from the project's upstream Git repository ⟨https://github.com/linux-audit/audit-userspace.git⟩ on 2021-06-20. (At that time, the date of the most recent commit that was found in the repository was 2021-06-18.) If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up-to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which is not part of the original manual page), send a mail to firstname.lastname@example.org Red Hat Aug 2009 AUDIT_ADD_RULE_DATA(3)
Pages that refer to this page: audit_add_watch(3), audit_delete_rule_data(3), audit_request_rules_list_data(3), audit_set_enabled(3), audit_update_watch_perms(3)