From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Adding rules
Date: Wed, 7 Jun 2006 14:50:50 -0400
Message-ID: <200606071450.51264.sgrubb@redhat.com>
References: <44871B2B.4050807@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <44871B2B.4050807@ornl.gov>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 07 June 2006 14:30, Steve wrote:
> I am trying to add a rule using audit_add_rule() so audit will "watch" a
> file.  The first problem is that there doesn't seem to be an appropriate
> field under the "Rule Fields" section of audit.h.  The second is that
> the value must be an integer...

You need to be using the audit_rule_data structure. It allows strings to be 
added to it. For an example of setting up a watch, look at the code in 
auditctl.c. Look for audit_setup_watch_name(). You'll need to replicate the 
code in it. Then call audit_add_rule_data().

-Steve