audit_add_rule_data - Add new audit rule
int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int
audit_add_rule adds an audit rule previously constructed with
audit_rule_fieldpair_data(3) to one of several kernel event filters. The
filter is specified by the flags argument. Possible values for flags are:
- AUDIT_FILTER_USER - Apply rule to userspace generated
messages. This is the user filter. Normally all user space originating
events are accepted. Rules on this filter are typically written to block
- AUDIT_FILTER_TASK - Apply rule at task creation (not
syscall). This is the task filter. It's normally used to exclude an
application from being audited.
- AUDIT_FILTER_EXIT - Apply rule at syscall exit. This is the
main filter that is used for syscalls and filesystem watches. Normally all
syscall do not trigger events, so this is normally used to specify events
that are of interest.
- AUDIT_FILTER_TYPE - Apply rule at audit_log_start. This is
the exclude filter which discards any records that match. The action type
is ignored for this filter, defaulting to "never".
- AUDIT_FILTER_FS - Apply rule when adding PATH auxiliary
records to SYSCALL events. This is the filesystem filter. This is used to
ignore PATH records that are not of interest.
The rule's action has two possible values:
- AUDIT_NEVER - Do not build context if rule matches.
- AUDIT_ALWAYS - Generate audit record if rule matches.
The return value is <= 0 on error, otherwise it is the netlink sequence id
number. This function can have any error that sendto would encounter.