AUDIT_ADD_RULE_DATA(3) Linux Audit API AUDIT_ADD_RULE_DATA(3)NAME
audit_add_rule_data - Add new audit rule
SYNOPSIS
#include <libaudit.h>
int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int action);
DESCRIPTION
audit_add_rule adds an audit rule to one of several kernel event filters. The filter is specified by the flags argument. Possible values
for flags are:
o AUDIT_FILTER_USER - Apply rule to userspace generated messages.
o AUDIT_FILTER_TASK - Apply rule at task creation (not syscall).
o AUDIT_FILTER_ENTRY - Apply rule at syscall entry.
o AUDIT_FILTER_WATCH - Apply rule to file system watches.
o AUDIT_FILTER_EXIT - Apply rule at syscall exit.
o AUDIT_FILTER_TYPE - Apply rule at audit_log_start.
The rule's action has two possible values:
o AUDIT_NEVER - Do not build context if rule matches.
o AUDIT_ALWAYS - Generate audit record if rule matches.
RETURN VALUE
The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would
encounter.
SEE ALSO audit_delete_rule_data(3), audit_add_watch(3), auditctl(8).
AUTHOR
Steve Grubb.
Red Hat Oct 2006 AUDIT_ADD_RULE_DATA(3)
Check Out this Related Man Page
AUSEARCH_ADD_ITEM(3) Linux Audit API AUSEARCH_ADD_ITEM(3)NAME
ausearch_add_item - build up search rule
SYNOPSIS
#include <auparse.h>
int ausearch_add_item(auparse_state_t *au, const char *field, const char *op, const char *value, ausearch_rule_t how);
DESCRIPTION
ausearch_add_item adds one search condition to the current audit search expression. The search conditions can then be used to scan logs,
files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable
describes what kind of check is to be done. Legal op values are:
exists
just check that a field name exists
=
locate the field name and check that the value associated with it is equal to the value given in this rule.
!=
locate the field name and check that the value associated with it is NOT equal to the value given in this rule.
The value parameter is compared to the uninterpreted field value.
The how value determines how this search condition will affect the existing search expression if one is already defined. The possible val-
ues are:
AUSEARCH_RULE_CLEAR
Clear the current search expression, if any, and use only this search condition.
AUSEARCH_RULE_OR
If a search expression E is already configured, replace it by (E || this_search_condition).
AUSEARCH_RULE_AND
If a search expression E is already configured, replace it by (E && this_search_condition).
RETURN VALUE
Returns -1 if an error occurs; otherwise, 0 for success.
SEE ALSO ausearch_add_expression(3), ausearch_add_interpreted_item(3), ausearch_add_timestamp_item(3), ausearch_add_regex(3), ausearch_set_stop(3),
ausearch_clear(3), ausearch_next_event(3), ausearch-expression(5).
AUTHOR
Steve Grubb
Red Hat Nov 2007 AUSEARCH_ADD_ITEM(3)
Man Page
13 More Discussions You Might Find Interesting
1. Post Here to Contact Site Administrators and Moderators
Why did you close all my threads? I undstand that since you may be an advanced unix user, that my questions seem dumb. Hey, they probably are. But the title of the forum is " UNIX for Dummies Questions & Answers" and it says "All UNIX Newbies Welcome !!"
So what is the prob?
I dont think... (7 Replies)
I can tell this is not a recently active formum, but here goes, "why doesn't this procmail rule block
messages with víagra or v1agra appearing in
the subject header
:0
* ^Subject:.*(víagra¦v1agra¦pénis¦prescripti0n¦Medicati0n¦M0rtgage¦Xanaxz)
{
LOG="(THE 7 DIRTY WORDS) "
:0
... (4 Replies)
Long story short, I have an issue with getting my VPN to connect to my w2k3 server box when I include the block all rule in my pf.conf:
block log all
Here's the output:
Apr 04 06:04:09.291697 rule 1/0(match): block in on hme0: call 3033 seq 0 gre-ppp-payload (gre encap)
Apr 04... (0 Replies)
Hello guys,
I have broken the cardinal rule - not creating normal user and working as Root - and as such deleted the /var/adm/messages directory. Is there any way possible to recover this.
Kind regards,
Dudley. (4 Replies)
I am hoping to find out if it is possible to use some sort of UNIX programming/scripting tools to solve a problem I have with reformatting email messages that are sent out of my IBM UNIX (AIX) system. I'm thinking some advanced awk/sed may work
I do not have the time or the ability to do this... (6 Replies)
As a rule of thumb in doing calculations, what figure would you use in Mbytes/sec? I know the answer varies grealty on the topolgy of the network but I wonde what newteok engineers use a rough rule of thumb?
Many thanks. (1 Reply)
Discussion started by: debd
1 Replies
8. Post Here to Contact Site Administrators and Moderators
Hi
I has just wondering if I have offended any one or broke some rule
that I wasn't aware of. I'm mentioning this because on my last to threads
I received nothing. So if I did please point it out to me.
Thank you (3 Replies)
I can't seem to get a rule in my Makefile to ever run... even if I change the rule to force make to re-enter the rule, or if I change the dependent files the rule depends on. Any ideas why the second rule is being ignored here?
#MAKEFILES = $(DIRS:%=$(ROOT)/%/Makefile)
#$(MAKEFILES):... (0 Replies)
When cediag was performed the var/adm messages indicated that I the DIMMS should be replaced. DIMMS failed rule#4. Anyone know what rule#4 is? (0 Replies)
Hi Guys,
Please could you tell me if it is possible to have a single rule/filter to allow a certain port range instead of a separate rule for each port?
I'm sure it must be possible but I am unable to find the syntax.
Thanks
Chris (4 Replies)
I'm not able to use a variable in my find rule. It's essentially being ignored.
I'm trying to store a list of file types to ignore in a variable.
This is the relevant code.
#!/bin/ksh
EXCEPTIONS='-not -name "*.xom" -a -not -name "*.sh" -a -not -name "*.pl"'
/usr/local/bin/find... (9 Replies)
Hi all,
I am trying to find a rewrite rule that can help me with the following situation.
So I am currently on a page which has a URL:
http://www.test.mobile.com/#!/shop/phones/max-plus/features/
Now when I hover over a certain link, I can see that it will goto:
<a... (0 Replies)