blob: 2321f3914e954e6e375a013ebcc6a9cbc26afff5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
.TH "AUDIT_ADD_RULE_DATA" "3" "Aug 2009" "Red Hat" "Linux Audit API"
.SH NAME
audit_add_rule_data \- Add new audit rule
.SH "SYNOPSIS"
.B #include <libaudit.h>
.sp
int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int action);
.SH "DESCRIPTION"
audit_add_rule adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are:
.TP 3
\(bu
AUDIT_FILTER_USER - Apply rule to userspace generated messages.
.TP
\(bu
AUDIT_FILTER_TASK - Apply rule at task creation (not syscall).
.TP
\(bu
AUDIT_FILTER_EXIT - Apply rule at syscall exit.
.TP
\(bu
AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
.LP
.PP
The rule's action has two possible values:
.TP 3
\(bu
AUDIT_NEVER - Do not build context if rule matches.
.TP
\(bu
AUDIT_ALWAYS - Generate audit record if rule matches.
.LP
.SH "RETURN VALUE"
The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter.
.SH "SEE ALSO"
.BR audit_rule_fieldpair_data(3),
.BR audit_delete_rule_data (3),
.BR auditctl (8).
.SH AUTHOR
Steve Grubb.
|
