Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).

Build builds an audit rule.

ToCommandLine decodes a WireFormat into a command-line rule.

SyscallRule.

The access types that can be audited for file watches.

DeleteAllRule.

The access types that can be audited for file watches.

FileWatchRule.

Inter-field comparison filtering (-C).

SyscallRule.

The access types that can be audited for file watches.

Filtering based on values (-F).

The access types that can be audited for file watches.

DeleteAllRule deletes all existing rules.

FileWatchRule is used to audit access to particular files or directories that you may be interested in.

FilterSpec defines a filter to apply to a syscall rule.

SyscallRule is used to audit invocations of specific syscalls.

Rule is the generic interface that all rule types implement.

AccessType specifies the type of file access to audit.

FilterType specifies a type of filter to apply to a syscall rule.

Type specifies the audit rule type.

WireFormat is the binary representation of a rule as used to exchange rules (commands) with the kernel.