From df5afa4fcd9725380f94ca6476248d4cc24f889a Mon Sep 17 00:00:00 2001 From: Ashlee Young Date: Sun, 29 Nov 2015 08:22:13 -0800 Subject: v2.4.4 audit sources Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young --- framework/src/audit/docs/audit_add_rule_data.3 | 49 ++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 framework/src/audit/docs/audit_add_rule_data.3 (limited to 'framework/src/audit/docs/audit_add_rule_data.3') diff --git a/framework/src/audit/docs/audit_add_rule_data.3 b/framework/src/audit/docs/audit_add_rule_data.3 new file mode 100644 index 00000000..2321f391 --- /dev/null +++ b/framework/src/audit/docs/audit_add_rule_data.3 @@ -0,0 +1,49 @@ +.TH "AUDIT_ADD_RULE_DATA" "3" "Aug 2009" "Red Hat" "Linux Audit API" +.SH NAME +audit_add_rule_data \- Add new audit rule +.SH "SYNOPSIS" +.B #include +.sp +int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int action); + +.SH "DESCRIPTION" + +audit_add_rule adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are: + +.TP 3 +\(bu +AUDIT_FILTER_USER - Apply rule to userspace generated messages. +.TP +\(bu +AUDIT_FILTER_TASK - Apply rule at task creation (not syscall). +.TP +\(bu +AUDIT_FILTER_EXIT - Apply rule at syscall exit. +.TP +\(bu +AUDIT_FILTER_TYPE - Apply rule at audit_log_start. +.LP + +.PP +The rule's action has two possible values: + +.TP 3 +\(bu +AUDIT_NEVER - Do not build context if rule matches. +.TP +\(bu +AUDIT_ALWAYS - Generate audit record if rule matches. +.LP + +.SH "RETURN VALUE" + +The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. + +.SH "SEE ALSO" + +.BR audit_rule_fieldpair_data(3), +.BR audit_delete_rule_data (3), +.BR auditctl (8). + +.SH AUTHOR +Steve Grubb. -- cgit 1.2.3-korg