audit_add_rule_data - Linux


audit_add_rule_data is a Linux command used to add data to a rule for the kernel’s audit subsystem. This data can configure how the rule is applied and what actions the system will take if a violation is detected.


audit_add_rule_data -R <rule> -d <data>


  • -R : Specifies the rule to which the data will be added. The rule can be identified by its name or number.
  • -d : Specifies the data to be added to the rule. The data can be any valid key-value pair. Common examples include:
    • action: Specifies the action to be taken when a violation is detected. Valid actions include never, audit, always, and ignore.
    • field: Specifies the field on which the rule will be applied. Valid fields include various system properties, such as uid, path, and execve.
    • op: Specifies the operator to be used when comparing the field with the value. Valid operators include =, !=, >, >=, <, and <=.
    • value: Specifies the value to be compared with the field.


  1. Add an action to a rule:

    audit_add_rule_data -R my_rule -d action=always
  2. Modify the field and operator for a rule:

    audit_add_rule_data -R my_rule -d field=path op=> value=/bin/*

Common Issues

  • Rule not found: Ensure that the rule specified in -R exists in the audit configuration.
  • Invalid data: Verify that the data provided in -d is in the correct format and contains valid values.
  • Permission denied: The command must be run with elevated privileges (e.g., as root).


audit_add_rule_data can be used in conjunction with other audit-related commands:

  • auditctl: To manage audit rules and view the current audit configuration.
  • ausearch: To search audit logs for events that match a specific rule.

Related Commands