On Wednesday 07 June 2006 14:30, Steve wrote: > I am trying to add a rule using audit_add_rule() so audit will "watch" a > file. The first problem is that there doesn't seem to be an appropriate > field under the "Rule Fields" section of audit.h. The second is that > the value must be an integer...
You need to be using the audit_rule_data structure. It allows strings to be added to it. For an example of setting up a watch, look at the code in auditctl.c. Look for audit_setup_watch_name(). You'll need to replicate the code in it. Then call audit_add_rule_data(). -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
