Creating Custom Agent Rules

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Agent expression syntax

Cloud Workload Security (CWS) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CWS rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:

<event-type>.<event-attribute> <operator> <value> <event-attribute> ...

Using this format, an example rule looks like this:

open.file.path == "/etc/shadow" && file.path not in ["/usr/sbin/vipw"]

Triggers

Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:

SECL EventTypeDefinitionAgent Version
bindNetwork[Experimental] A bind was executed7.37
bpfKernelA BPF command was executed7.33
capsetProcessA process changed its capacity set7.27
chmodFileA file’s permissions were changed7.27
chownFileA file’s owner was changed7.27
dnsNetworkA DNS request was sent7.36
execProcessA process was executed or forked7.27
exitProcessA process was terminated7.38
linkFileCreate a new name/alias for a file7.27
load_moduleKernelA new kernel module was loaded7.35
mkdirFileA directory was created7.27
mmapKernelA mmap command was executed7.35
mountFile[Experimental] A filesystem was mounted7.42
mprotectKernelA mprotect command was executed7.35
openFileA file was opened7.27
ptraceKernelA ptrace command was executed7.35
removexattrFileRemove extended attributes7.27
renameFileA file/directory was renamed7.27
rmdirFileA directory was removed7.27
selinuxKernelAn SELinux operation was run7.30
setgidProcessA process changed its effective gid7.27
setuidProcessA process changed its effective uid7.27
setxattrFileSet exteneded attributes7.27
signalProcessA signal was sent7.35
spliceFileA splice command was executed7.36
unlinkFileA file was deleted7.27
unload_moduleKernelA kernel module was deleted7.35
utimesFileChange file access/modification times7.27

Operators

SECL operators are used to combine event attributes together into a full expression. The following operators are available:

SECL OperatorTypesDefinitionAgent Version
==ProcessEqual7.27
!=FileNot equal7.27
>FileGreater7.27
>=FileGreater or equal7.27
<FileLesser7.27
<=FileLesser or equal7.27
!FileNot7.27
^FileBinary not7.27
in [elem1, ...]FileElement is contained in list7.27
not in [elem1, ...]FileElement is not contained in list7.27
=~FileString matching7.27
!~FileString not matching7.27
&FileBinary and7.27
|FileBinary or7.27
&&FileLogical and7.27
||FileLogical or7.27
in CIDRNetworkElement is in the IP range7.37
not in CIDRNetworkElement is not in the IP range7.37
allin CIDRNetworkAll the elements are in the IP range7.37
in [CIDR1, ...]NetworkElement is in the IP ranges7.37
not in [CIDR1, ...]NetworkElement is not in the IP ranges7.37
allin [CIDR1, ...]NetworkAll the elements are in the IP ranges7.37

Patterns and regular expressions

Patterns or regular expressions can be used in SECL expressions. They can be used with the in, not in, =~, and !~ operators.

FormatExampleSupported FieldsAgent Version
~"pattern"~"httpd.*"All7.27
r"regexp"r"rc[0-9]+"All except .path7.27

Patterns on .path fields will be used as Glob. * will match files and folders at the same level. **, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.

Duration

You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created. Such a rule could be written as follows:

open.file.path == "/etc/secret" && process.file.name == "java" && process.created_at > 5s

Durations are numbers with a unit suffix. The supported suffixes are “s”, “m”, “h”.

Variables

SECL variables are predefined variables that can be used as values or as part of values.

For example, rule using a process.pid variable looks like this:

open.file.path == "/proc/${process.pid}/maps"

List of the available variables:

SECL VariableDefinitionAgent Version
process.pidProcess PID7.33

CIDR and IP range

CIDR and IP matching is possible in SECL. One can use operators such as in, not in, or allin combined with CIDR or IP notations.

Such rules can be written as follows:

dns.question.name == "example.com" && network.destination.ip in ["192.168.1.25", "10.0.0.0/24"]

Helpers

Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.

Command line arguments

The args_flags and args_options are helpers to ease the writing of CWS rules based on command line arguments.

args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.

Examples:

  • version is part of args_flags for the command cat --version
  • l and n both are in args_flags for the command netstat -ln

args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.

Examples:

  • T=8 and width=8 both are in args_options for the command ls -T 8 --width=8
  • exec.args_options ~= [ “s=.*\’” ] can be used to detect sudoedit was launched with -s argument and a command that ends with a \

File rights

The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod commands.

Event types

Common to all event types

PropertyTypeDefinitionConstants
asyncboolTrue if the syscall was asynchronous
container.idstringID of the container
container.tagsstringTags of the container
network.destination.ipIP/CIDRIP address
network.destination.portintPort number
network.device.ifindexintinterface ifindex
network.device.ifnamestringinterface ifname
network.l3_protocolintl3 protocol of the network packetL3 protocols
network.l4_protocolintl4 protocol of the network packetL4 protocols
network.sizeintsize in bytes of the network packet
network.source.ipIP/CIDRIP address
network.source.portintPort number
process.ancestors.argsstringArguments of the process (as a string)
process.ancestors.args_flagsstringArguments of the process (as an array)
process.ancestors.args_optionsstringArguments of the process (as an array)
process.ancestors.args_truncatedboolIndicator of arguments truncation
process.ancestors.argvstringArguments of the process (as an array)
process.ancestors.argv0stringFirst argument of the process
process.ancestors.cap_effectiveintEffective capability set of the processKernel Capability constants
process.ancestors.cap_permittedintPermitted capability set of the processKernel Capability constants
process.ancestors.commstringComm attribute of the process
process.ancestors.container.idstringContainer ID
process.ancestors.cookieintCookie of the process
process.ancestors.created_atintTimestamp of the creation of the process
process.ancestors.egidintEffective GID of the process
process.ancestors.egroupstringEffective group of the process
process.ancestors.envpstringEnvironment variables of the process
process.ancestors.envsstringEnvironment variable names of the process
process.ancestors.envs_truncatedboolIndicator of environment variables truncation
process.ancestors.euidintEffective UID of the process
process.ancestors.euserstringEffective user of the process
process.ancestors.file.change_timeintChange time of the file
process.ancestors.file.filesystemstringFile’s filesystem
process.ancestors.file.gidintGID of the file’s owner
process.ancestors.file.groupstringGroup of the file’s owner
process.ancestors.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
process.ancestors.file.inodeintInode of the file
process.ancestors.file.modeintMode/rights of the fileChmod mode constants
process.ancestors.file.modification_timeintModification time of the file
process.ancestors.file.mount_idintMount ID of the file
process.ancestors.file.namestringFile’s basename
process.ancestors.file.name.lengthintLength of ‘process.ancestors.file.name’ string
process.ancestors.file.pathstringFile’s path
process.ancestors.file.path.lengthintLength of ‘process.ancestors.file.path’ string
process.ancestors.file.rightsintMode/rights of the fileChmod mode constants
process.ancestors.file.uidintUID of the file’s owner
process.ancestors.file.userstringUser of the file’s owner
process.ancestors.fsgidintFileSystem-gid of the process
process.ancestors.fsgroupstringFileSystem-group of the process
process.ancestors.fsuidintFileSystem-uid of the process
process.ancestors.fsuserstringFileSystem-user of the process
process.ancestors.gidintGID of the process
process.ancestors.groupstringGroup of the process
process.ancestors.interpreter.file.change_timeintChange time of the file
process.ancestors.interpreter.file.filesystemstringFile’s filesystem
process.ancestors.interpreter.file.gidintGID of the file’s owner
process.ancestors.interpreter.file.groupstringGroup of the file’s owner
process.ancestors.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
process.ancestors.interpreter.file.inodeintInode of the file
process.ancestors.interpreter.file.modeintMode/rights of the fileChmod mode constants
process.ancestors.interpreter.file.modification_timeintModification time of the file
process.ancestors.interpreter.file.mount_idintMount ID of the file
process.ancestors.interpreter.file.namestringFile’s basename
process.ancestors.interpreter.file.name.lengthintLength of ‘process.ancestors.interpreter.file.name’ string
process.ancestors.interpreter.file.pathstringFile’s path
process.ancestors.interpreter.file.path.lengthintLength of ‘process.ancestors.interpreter.file.path’ string
process.ancestors.interpreter.file.rightsintMode/rights of the fileChmod mode constants
process.ancestors.interpreter.file.uidintUID of the file’s owner
process.ancestors.interpreter.file.userstringUser of the file’s owner
process.ancestors.is_kworkerboolIndicates whether the process is a kworker
process.ancestors.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
process.ancestors.pidintProcess ID of the process (also called thread group ID)
process.ancestors.ppidintParent process ID
process.ancestors.tidintThread ID of the thread
process.ancestors.tty_namestringName of the TTY associated with the process
process.ancestors.uidintUID of the process
process.ancestors.userstringUser of the process
process.argsstringArguments of the process (as a string)
process.args_flagsstringArguments of the process (as an array)
process.args_optionsstringArguments of the process (as an array)
process.args_truncatedboolIndicator of arguments truncation
process.argvstringArguments of the process (as an array)
process.argv0stringFirst argument of the process
process.cap_effectiveintEffective capability set of the processKernel Capability constants
process.cap_permittedintPermitted capability set of the processKernel Capability constants
process.commstringComm attribute of the process
process.container.idstringContainer ID
process.cookieintCookie of the process
process.created_atintTimestamp of the creation of the process
process.egidintEffective GID of the process
process.egroupstringEffective group of the process
process.envpstringEnvironment variables of the process
process.envsstringEnvironment variable names of the process
process.envs_truncatedboolIndicator of environment variables truncation
process.euidintEffective UID of the process
process.euserstringEffective user of the process
process.file.change_timeintChange time of the file
process.file.filesystemstringFile’s filesystem
process.file.gidintGID of the file’s owner
process.file.groupstringGroup of the file’s owner
process.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
process.file.inodeintInode of the file
process.file.modeintMode/rights of the fileChmod mode constants
process.file.modification_timeintModification time of the file
process.file.mount_idintMount ID of the file
process.file.namestringFile’s basename
process.file.name.lengthintLength of ‘process.file.name’ string
process.file.pathstringFile’s path
process.file.path.lengthintLength of ‘process.file.path’ string
process.file.rightsintMode/rights of the fileChmod mode constants
process.file.uidintUID of the file’s owner
process.file.userstringUser of the file’s owner
process.fsgidintFileSystem-gid of the process
process.fsgroupstringFileSystem-group of the process
process.fsuidintFileSystem-uid of the process
process.fsuserstringFileSystem-user of the process
process.gidintGID of the process
process.groupstringGroup of the process
process.interpreter.file.change_timeintChange time of the file
process.interpreter.file.filesystemstringFile’s filesystem
process.interpreter.file.gidintGID of the file’s owner
process.interpreter.file.groupstringGroup of the file’s owner
process.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
process.interpreter.file.inodeintInode of the file
process.interpreter.file.modeintMode/rights of the fileChmod mode constants
process.interpreter.file.modification_timeintModification time of the file
process.interpreter.file.mount_idintMount ID of the file
process.interpreter.file.namestringFile’s basename
process.interpreter.file.name.lengthintLength of ‘process.interpreter.file.name’ string
process.interpreter.file.pathstringFile’s path
process.interpreter.file.path.lengthintLength of ‘process.interpreter.file.path’ string
process.interpreter.file.rightsintMode/rights of the fileChmod mode constants
process.interpreter.file.uidintUID of the file’s owner
process.interpreter.file.userstringUser of the file’s owner
process.is_kworkerboolIndicates whether the process is a kworker
process.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
process.parent.argsstringArguments of the process (as a string)
process.parent.args_flagsstringArguments of the process (as an array)
process.parent.args_optionsstringArguments of the process (as an array)
process.parent.args_truncatedboolIndicator of arguments truncation
process.parent.argvstringArguments of the process (as an array)
process.parent.argv0stringFirst argument of the process
process.parent.cap_effectiveintEffective capability set of the processKernel Capability constants
process.parent.cap_permittedintPermitted capability set of the processKernel Capability constants
process.parent.commstringComm attribute of the process
process.parent.container.idstringContainer ID
process.parent.cookieintCookie of the process
process.parent.created_atintTimestamp of the creation of the process
process.parent.egidintEffective GID of the process
process.parent.egroupstringEffective group of the process
process.parent.envpstringEnvironment variables of the process
process.parent.envsstringEnvironment variable names of the process
process.parent.envs_truncatedboolIndicator of environment variables truncation
process.parent.euidintEffective UID of the process
process.parent.euserstringEffective user of the process
process.parent.file.change_timeintChange time of the file
process.parent.file.filesystemstringFile’s filesystem
process.parent.file.gidintGID of the file’s owner
process.parent.file.groupstringGroup of the file’s owner
process.parent.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
process.parent.file.inodeintInode of the file
process.parent.file.modeintMode/rights of the fileChmod mode constants
process.parent.file.modification_timeintModification time of the file
process.parent.file.mount_idintMount ID of the file
process.parent.file.namestringFile’s basename
process.parent.file.name.lengthintLength of ‘process.parent.file.name’ string
process.parent.file.pathstringFile’s path
process.parent.file.path.lengthintLength of ‘process.parent.file.path’ string
process.parent.file.rightsintMode/rights of the fileChmod mode constants
process.parent.file.uidintUID of the file’s owner
process.parent.file.userstringUser of the file’s owner
process.parent.fsgidintFileSystem-gid of the process
process.parent.fsgroupstringFileSystem-group of the process
process.parent.fsuidintFileSystem-uid of the process
process.parent.fsuserstringFileSystem-user of the process
process.parent.gidintGID of the process
process.parent.groupstringGroup of the process
process.parent.interpreter.file.change_timeintChange time of the file
process.parent.interpreter.file.filesystemstringFile’s filesystem
process.parent.interpreter.file.gidintGID of the file’s owner
process.parent.interpreter.file.groupstringGroup of the file’s owner
process.parent.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
process.parent.interpreter.file.inodeintInode of the file
process.parent.interpreter.file.modeintMode/rights of the fileChmod mode constants
process.parent.interpreter.file.modification_timeintModification time of the file
process.parent.interpreter.file.mount_idintMount ID of the file
process.parent.interpreter.file.namestringFile’s basename
process.parent.interpreter.file.name.lengthintLength of ‘process.parent.interpreter.file.name’ string
process.parent.interpreter.file.pathstringFile’s path
process.parent.interpreter.file.path.lengthintLength of ‘process.parent.interpreter.file.path’ string
process.parent.interpreter.file.rightsintMode/rights of the fileChmod mode constants
process.parent.interpreter.file.uidintUID of the file’s owner
process.parent.interpreter.file.userstringUser of the file’s owner
process.parent.is_kworkerboolIndicates whether the process is a kworker
process.parent.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
process.parent.pidintProcess ID of the process (also called thread group ID)
process.parent.ppidintParent process ID
process.parent.tidintThread ID of the thread
process.parent.tty_namestringName of the TTY associated with the process
process.parent.uidintUID of the process
process.parent.userstringUser of the process
process.pidintProcess ID of the process (also called thread group ID)
process.ppidintParent process ID
process.tidintThread ID of the thread
process.tty_namestringName of the TTY associated with the process
process.uidintUID of the process
process.userstringUser of the process

Event bind

This event type is experimental and may change in the future.

A bind was executed

PropertyTypeDefinitionConstants
bind.addr.familyintAddress family
bind.addr.ipIP/CIDRIP address
bind.addr.portintPort number
bind.retvalintReturn value of the syscallError Constants

Event bpf

A BPF command was executed

PropertyTypeDefinitionConstants
bpf.cmdintBPF command nameBPF commands
bpf.map.namestringName of the eBPF map (added in 7.35)
bpf.map.typeintType of the eBPF mapBPF map types
bpf.prog.attach_typeintAttach type of the eBPF programBPF attach types
bpf.prog.helpersinteBPF helpers used by the eBPF program (added in 7.35)BPF helper functions
bpf.prog.namestringName of the eBPF program (added in 7.35)
bpf.prog.tagstringHash (sha1) of the eBPF program (added in 7.35)
bpf.prog.typeintType of the eBPF programBPF program types
bpf.retvalintReturn value of the syscallError Constants

Event capset

A process changed its capacity set

PropertyTypeDefinitionConstants
capset.cap_effectiveintEffective capability set of the processKernel Capability constants
capset.cap_permittedintPermitted capability set of the processKernel Capability constants

Event chmod

A file’s permissions were changed

PropertyTypeDefinitionConstants
chmod.file.change_timeintChange time of the file
chmod.file.destination.modeintNew mode/rights of the chmod-ed fileChmod mode constants
chmod.file.destination.rightsintNew mode/rights of the chmod-ed fileChmod mode constants
chmod.file.filesystemstringFile’s filesystem
chmod.file.gidintGID of the file’s owner
chmod.file.groupstringGroup of the file’s owner
chmod.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
chmod.file.inodeintInode of the file
chmod.file.modeintMode/rights of the fileChmod mode constants
chmod.file.modification_timeintModification time of the file
chmod.file.mount_idintMount ID of the file
chmod.file.namestringFile’s basename
chmod.file.name.lengthintLength of ‘chmod.file.name’ string
chmod.file.pathstringFile’s path
chmod.file.path.lengthintLength of ‘chmod.file.path’ string
chmod.file.rightsintMode/rights of the fileChmod mode constants
chmod.file.uidintUID of the file’s owner
chmod.file.userstringUser of the file’s owner
chmod.retvalintReturn value of the syscallError Constants

Event chown

A file’s owner was changed

PropertyTypeDefinitionConstants
chown.file.change_timeintChange time of the file
chown.file.destination.gidintNew GID of the chown-ed file’s owner
chown.file.destination.groupstringNew group of the chown-ed file’s owner
chown.file.destination.uidintNew UID of the chown-ed file’s owner
chown.file.destination.userstringNew user of the chown-ed file’s owner
chown.file.filesystemstringFile’s filesystem
chown.file.gidintGID of the file’s owner
chown.file.groupstringGroup of the file’s owner
chown.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
chown.file.inodeintInode of the file
chown.file.modeintMode/rights of the fileChmod mode constants
chown.file.modification_timeintModification time of the file
chown.file.mount_idintMount ID of the file
chown.file.namestringFile’s basename
chown.file.name.lengthintLength of ‘chown.file.name’ string
chown.file.pathstringFile’s path
chown.file.path.lengthintLength of ‘chown.file.path’ string
chown.file.rightsintMode/rights of the fileChmod mode constants
chown.file.uidintUID of the file’s owner
chown.file.userstringUser of the file’s owner
chown.retvalintReturn value of the syscallError Constants

Event dns

A DNS request was sent

PropertyTypeDefinitionConstants
dns.idint[Experimental] the DNS request ID
dns.question.classintthe class looked up by the DNS questionDNS qclasses
dns.question.countintthe total count of questions in the DNS request
dns.question.lengthintthe total DNS request size in bytes
dns.question.namestringthe queried domain name
dns.question.name.lengthintthe queried domain name
dns.question.typeinta two octet code which specifies the DNS question typeDNS qtypes

Event exec

A process was executed or forked

PropertyTypeDefinitionConstants
exec.argsstringArguments of the process (as a string)
exec.args_flagsstringArguments of the process (as an array)
exec.args_optionsstringArguments of the process (as an array)
exec.args_truncatedboolIndicator of arguments truncation
exec.argvstringArguments of the process (as an array)
exec.argv0stringFirst argument of the process
exec.cap_effectiveintEffective capability set of the processKernel Capability constants
exec.cap_permittedintPermitted capability set of the processKernel Capability constants
exec.commstringComm attribute of the process
exec.container.idstringContainer ID
exec.cookieintCookie of the process
exec.created_atintTimestamp of the creation of the process
exec.egidintEffective GID of the process
exec.egroupstringEffective group of the process
exec.envpstringEnvironment variables of the process
exec.envsstringEnvironment variable names of the process
exec.envs_truncatedboolIndicator of environment variables truncation
exec.euidintEffective UID of the process
exec.euserstringEffective user of the process
exec.file.change_timeintChange time of the file
exec.file.filesystemstringFile’s filesystem
exec.file.gidintGID of the file’s owner
exec.file.groupstringGroup of the file’s owner
exec.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
exec.file.inodeintInode of the file
exec.file.modeintMode/rights of the fileChmod mode constants
exec.file.modification_timeintModification time of the file
exec.file.mount_idintMount ID of the file
exec.file.namestringFile’s basename
exec.file.name.lengthintLength of ’exec.file.name’ string
exec.file.pathstringFile’s path
exec.file.path.lengthintLength of ’exec.file.path’ string
exec.file.rightsintMode/rights of the fileChmod mode constants
exec.file.uidintUID of the file’s owner
exec.file.userstringUser of the file’s owner
exec.fsgidintFileSystem-gid of the process
exec.fsgroupstringFileSystem-group of the process
exec.fsuidintFileSystem-uid of the process
exec.fsuserstringFileSystem-user of the process
exec.gidintGID of the process
exec.groupstringGroup of the process
exec.interpreter.file.change_timeintChange time of the file
exec.interpreter.file.filesystemstringFile’s filesystem
exec.interpreter.file.gidintGID of the file’s owner
exec.interpreter.file.groupstringGroup of the file’s owner
exec.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
exec.interpreter.file.inodeintInode of the file
exec.interpreter.file.modeintMode/rights of the fileChmod mode constants
exec.interpreter.file.modification_timeintModification time of the file
exec.interpreter.file.mount_idintMount ID of the file
exec.interpreter.file.namestringFile’s basename
exec.interpreter.file.name.lengthintLength of ’exec.interpreter.file.name’ string
exec.interpreter.file.pathstringFile’s path
exec.interpreter.file.path.lengthintLength of ’exec.interpreter.file.path’ string
exec.interpreter.file.rightsintMode/rights of the fileChmod mode constants
exec.interpreter.file.uidintUID of the file’s owner
exec.interpreter.file.userstringUser of the file’s owner
exec.is_kworkerboolIndicates whether the process is a kworker
exec.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
exec.pidintProcess ID of the process (also called thread group ID)
exec.ppidintParent process ID
exec.tidintThread ID of the thread
exec.tty_namestringName of the TTY associated with the process
exec.uidintUID of the process
exec.userstringUser of the process

Event exit

A process was terminated

PropertyTypeDefinitionConstants
exit.argsstringArguments of the process (as a string)
exit.args_flagsstringArguments of the process (as an array)
exit.args_optionsstringArguments of the process (as an array)
exit.args_truncatedboolIndicator of arguments truncation
exit.argvstringArguments of the process (as an array)
exit.argv0stringFirst argument of the process
exit.cap_effectiveintEffective capability set of the processKernel Capability constants
exit.cap_permittedintPermitted capability set of the processKernel Capability constants
exit.causeintCause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
exit.codeintExit code of the process or number of the signal that caused the process to terminate
exit.commstringComm attribute of the process
exit.container.idstringContainer ID
exit.cookieintCookie of the process
exit.created_atintTimestamp of the creation of the process
exit.egidintEffective GID of the process
exit.egroupstringEffective group of the process
exit.envpstringEnvironment variables of the process
exit.envsstringEnvironment variable names of the process
exit.envs_truncatedboolIndicator of environment variables truncation
exit.euidintEffective UID of the process
exit.euserstringEffective user of the process
exit.file.change_timeintChange time of the file
exit.file.filesystemstringFile’s filesystem
exit.file.gidintGID of the file’s owner
exit.file.groupstringGroup of the file’s owner
exit.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
exit.file.inodeintInode of the file
exit.file.modeintMode/rights of the fileChmod mode constants
exit.file.modification_timeintModification time of the file
exit.file.mount_idintMount ID of the file
exit.file.namestringFile’s basename
exit.file.name.lengthintLength of ’exit.file.name’ string
exit.file.pathstringFile’s path
exit.file.path.lengthintLength of ’exit.file.path’ string
exit.file.rightsintMode/rights of the fileChmod mode constants
exit.file.uidintUID of the file’s owner
exit.file.userstringUser of the file’s owner
exit.fsgidintFileSystem-gid of the process
exit.fsgroupstringFileSystem-group of the process
exit.fsuidintFileSystem-uid of the process
exit.fsuserstringFileSystem-user of the process
exit.gidintGID of the process
exit.groupstringGroup of the process
exit.interpreter.file.change_timeintChange time of the file
exit.interpreter.file.filesystemstringFile’s filesystem
exit.interpreter.file.gidintGID of the file’s owner
exit.interpreter.file.groupstringGroup of the file’s owner
exit.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
exit.interpreter.file.inodeintInode of the file
exit.interpreter.file.modeintMode/rights of the fileChmod mode constants
exit.interpreter.file.modification_timeintModification time of the file
exit.interpreter.file.mount_idintMount ID of the file
exit.interpreter.file.namestringFile’s basename
exit.interpreter.file.name.lengthintLength of ’exit.interpreter.file.name’ string
exit.interpreter.file.pathstringFile’s path
exit.interpreter.file.path.lengthintLength of ’exit.interpreter.file.path’ string
exit.interpreter.file.rightsintMode/rights of the fileChmod mode constants
exit.interpreter.file.uidintUID of the file’s owner
exit.interpreter.file.userstringUser of the file’s owner
exit.is_kworkerboolIndicates whether the process is a kworker
exit.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
exit.pidintProcess ID of the process (also called thread group ID)
exit.ppidintParent process ID
exit.tidintThread ID of the thread
exit.tty_namestringName of the TTY associated with the process
exit.uidintUID of the process
exit.userstringUser of the process

Create a new name/alias for a file

PropertyTypeDefinitionConstants
link.file.change_timeintChange time of the file
link.file.destination.change_timeintChange time of the file
link.file.destination.filesystemstringFile’s filesystem
link.file.destination.gidintGID of the file’s owner
link.file.destination.groupstringGroup of the file’s owner
link.file.destination.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
link.file.destination.inodeintInode of the file
link.file.destination.modeintMode/rights of the fileChmod mode constants
link.file.destination.modification_timeintModification time of the file
link.file.destination.mount_idintMount ID of the file
link.file.destination.namestringFile’s basename
link.file.destination.name.lengthintLength of ’link.file.destination.name’ string
link.file.destination.pathstringFile’s path
link.file.destination.path.lengthintLength of ’link.file.destination.path’ string
link.file.destination.rightsintMode/rights of the fileChmod mode constants
link.file.destination.uidintUID of the file’s owner
link.file.destination.userstringUser of the file’s owner
link.file.filesystemstringFile’s filesystem
link.file.gidintGID of the file’s owner
link.file.groupstringGroup of the file’s owner
link.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
link.file.inodeintInode of the file
link.file.modeintMode/rights of the fileChmod mode constants
link.file.modification_timeintModification time of the file
link.file.mount_idintMount ID of the file
link.file.namestringFile’s basename
link.file.name.lengthintLength of ’link.file.name’ string
link.file.pathstringFile’s path
link.file.path.lengthintLength of ’link.file.path’ string
link.file.rightsintMode/rights of the fileChmod mode constants
link.file.uidintUID of the file’s owner
link.file.userstringUser of the file’s owner
link.retvalintReturn value of the syscallError Constants

Event load_module

A new kernel module was loaded

PropertyTypeDefinitionConstants
load_module.file.change_timeintChange time of the file
load_module.file.filesystemstringFile’s filesystem
load_module.file.gidintGID of the file’s owner
load_module.file.groupstringGroup of the file’s owner
load_module.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
load_module.file.inodeintInode of the file
load_module.file.modeintMode/rights of the fileChmod mode constants
load_module.file.modification_timeintModification time of the file
load_module.file.mount_idintMount ID of the file
load_module.file.namestringFile’s basename
load_module.file.name.lengthintLength of ’load_module.file.name’ string
load_module.file.pathstringFile’s path
load_module.file.path.lengthintLength of ’load_module.file.path’ string
load_module.file.rightsintMode/rights of the fileChmod mode constants
load_module.file.uidintUID of the file’s owner
load_module.file.userstringUser of the file’s owner
load_module.loaded_from_memoryboolIndicates if the kernel module was loaded from memory
load_module.namestringName of the new kernel module
load_module.retvalintReturn value of the syscallError Constants

Event mkdir

A directory was created

PropertyTypeDefinitionConstants
mkdir.file.change_timeintChange time of the file
mkdir.file.destination.modeintMode/rights of the new directoryChmod mode constants
mkdir.file.destination.rightsintMode/rights of the new directoryChmod mode constants
mkdir.file.filesystemstringFile’s filesystem
mkdir.file.gidintGID of the file’s owner
mkdir.file.groupstringGroup of the file’s owner
mkdir.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
mkdir.file.inodeintInode of the file
mkdir.file.modeintMode/rights of the fileChmod mode constants
mkdir.file.modification_timeintModification time of the file
mkdir.file.mount_idintMount ID of the file
mkdir.file.namestringFile’s basename
mkdir.file.name.lengthintLength of ‘mkdir.file.name’ string
mkdir.file.pathstringFile’s path
mkdir.file.path.lengthintLength of ‘mkdir.file.path’ string
mkdir.file.rightsintMode/rights of the fileChmod mode constants
mkdir.file.uidintUID of the file’s owner
mkdir.file.userstringUser of the file’s owner
mkdir.retvalintReturn value of the syscallError Constants

Event mmap

A mmap command was executed

PropertyTypeDefinitionConstants
mmap.file.change_timeintChange time of the file
mmap.file.filesystemstringFile’s filesystem
mmap.file.gidintGID of the file’s owner
mmap.file.groupstringGroup of the file’s owner
mmap.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
mmap.file.inodeintInode of the file
mmap.file.modeintMode/rights of the fileChmod mode constants
mmap.file.modification_timeintModification time of the file
mmap.file.mount_idintMount ID of the file
mmap.file.namestringFile’s basename
mmap.file.name.lengthintLength of ‘mmap.file.name’ string
mmap.file.pathstringFile’s path
mmap.file.path.lengthintLength of ‘mmap.file.path’ string
mmap.file.rightsintMode/rights of the fileChmod mode constants
mmap.file.uidintUID of the file’s owner
mmap.file.userstringUser of the file’s owner
mmap.flagsintmemory segment flagsMMap flags
mmap.protectionintmemory segment protectionProtection constants
mmap.retvalintReturn value of the syscallError Constants

Event mount

This event type is experimental and may change in the future.

A filesystem was mounted

PropertyTypeDefinitionConstants
mount.fs_typestringType of the mounted file system
mount.mountpoint.pathstringPath of the mount point
mount.retvalintReturn value of the syscallError Constants
mount.source.pathstringSource path of a bind mount

Event mprotect

A mprotect command was executed

PropertyTypeDefinitionConstants
mprotect.req_protectionintnew memory segment protectionVirtual Memory flags
mprotect.retvalintReturn value of the syscallError Constants
mprotect.vm_protectionintinitial memory segment protectionVirtual Memory flags

Event open

A file was opened

PropertyTypeDefinitionConstants
open.file.change_timeintChange time of the file
open.file.destination.modeintMode of the created fileChmod mode constants
open.file.filesystemstringFile’s filesystem
open.file.gidintGID of the file’s owner
open.file.groupstringGroup of the file’s owner
open.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
open.file.inodeintInode of the file
open.file.modeintMode/rights of the fileChmod mode constants
open.file.modification_timeintModification time of the file
open.file.mount_idintMount ID of the file
open.file.namestringFile’s basename
open.file.name.lengthintLength of ‘open.file.name’ string
open.file.pathstringFile’s path
open.file.path.lengthintLength of ‘open.file.path’ string
open.file.rightsintMode/rights of the fileChmod mode constants
open.file.uidintUID of the file’s owner
open.file.userstringUser of the file’s owner
open.flagsintFlags used when opening the fileOpen flags
open.retvalintReturn value of the syscallError Constants

Event ptrace

A ptrace command was executed

PropertyTypeDefinitionConstants
ptrace.requestintptrace requestPtrace constants
ptrace.retvalintReturn value of the syscallError Constants
ptrace.tracee.ancestors.argsstringArguments of the process (as a string)
ptrace.tracee.ancestors.args_flagsstringArguments of the process (as an array)
ptrace.tracee.ancestors.args_optionsstringArguments of the process (as an array)
ptrace.tracee.ancestors.args_truncatedboolIndicator of arguments truncation
ptrace.tracee.ancestors.argvstringArguments of the process (as an array)
ptrace.tracee.ancestors.argv0stringFirst argument of the process
ptrace.tracee.ancestors.cap_effectiveintEffective capability set of the processKernel Capability constants
ptrace.tracee.ancestors.cap_permittedintPermitted capability set of the processKernel Capability constants
ptrace.tracee.ancestors.commstringComm attribute of the process
ptrace.tracee.ancestors.container.idstringContainer ID
ptrace.tracee.ancestors.cookieintCookie of the process
ptrace.tracee.ancestors.created_atintTimestamp of the creation of the process
ptrace.tracee.ancestors.egidintEffective GID of the process
ptrace.tracee.ancestors.egroupstringEffective group of the process
ptrace.tracee.ancestors.envpstringEnvironment variables of the process
ptrace.tracee.ancestors.envsstringEnvironment variable names of the process
ptrace.tracee.ancestors.envs_truncatedboolIndicator of environment variables truncation
ptrace.tracee.ancestors.euidintEffective UID of the process
ptrace.tracee.ancestors.euserstringEffective user of the process
ptrace.tracee.ancestors.file.change_timeintChange time of the file
ptrace.tracee.ancestors.file.filesystemstringFile’s filesystem
ptrace.tracee.ancestors.file.gidintGID of the file’s owner
ptrace.tracee.ancestors.file.groupstringGroup of the file’s owner
ptrace.tracee.ancestors.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.ancestors.file.inodeintInode of the file
ptrace.tracee.ancestors.file.modeintMode/rights of the fileChmod mode constants
ptrace.tracee.ancestors.file.modification_timeintModification time of the file
ptrace.tracee.ancestors.file.mount_idintMount ID of the file
ptrace.tracee.ancestors.file.namestringFile’s basename
ptrace.tracee.ancestors.file.name.lengthintLength of ‘ptrace.tracee.ancestors.file.name’ string
ptrace.tracee.ancestors.file.pathstringFile’s path
ptrace.tracee.ancestors.file.path.lengthintLength of ‘ptrace.tracee.ancestors.file.path’ string
ptrace.tracee.ancestors.file.rightsintMode/rights of the fileChmod mode constants
ptrace.tracee.ancestors.file.uidintUID of the file’s owner
ptrace.tracee.ancestors.file.userstringUser of the file’s owner
ptrace.tracee.ancestors.fsgidintFileSystem-gid of the process
ptrace.tracee.ancestors.fsgroupstringFileSystem-group of the process
ptrace.tracee.ancestors.fsuidintFileSystem-uid of the process
ptrace.tracee.ancestors.fsuserstringFileSystem-user of the process
ptrace.tracee.ancestors.gidintGID of the process
ptrace.tracee.ancestors.groupstringGroup of the process
ptrace.tracee.ancestors.interpreter.file.change_timeintChange time of the file
ptrace.tracee.ancestors.interpreter.file.filesystemstringFile’s filesystem
ptrace.tracee.ancestors.interpreter.file.gidintGID of the file’s owner
ptrace.tracee.ancestors.interpreter.file.groupstringGroup of the file’s owner
ptrace.tracee.ancestors.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.ancestors.interpreter.file.inodeintInode of the file
ptrace.tracee.ancestors.interpreter.file.modeintMode/rights of the fileChmod mode constants
ptrace.tracee.ancestors.interpreter.file.modification_timeintModification time of the file
ptrace.tracee.ancestors.interpreter.file.mount_idintMount ID of the file
ptrace.tracee.ancestors.interpreter.file.namestringFile’s basename
ptrace.tracee.ancestors.interpreter.file.name.lengthintLength of ‘ptrace.tracee.ancestors.interpreter.file.name’ string
ptrace.tracee.ancestors.interpreter.file.pathstringFile’s path
ptrace.tracee.ancestors.interpreter.file.path.lengthintLength of ‘ptrace.tracee.ancestors.interpreter.file.path’ string
ptrace.tracee.ancestors.interpreter.file.rightsintMode/rights of the fileChmod mode constants
ptrace.tracee.ancestors.interpreter.file.uidintUID of the file’s owner
ptrace.tracee.ancestors.interpreter.file.userstringUser of the file’s owner
ptrace.tracee.ancestors.is_kworkerboolIndicates whether the process is a kworker
ptrace.tracee.ancestors.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
ptrace.tracee.ancestors.pidintProcess ID of the process (also called thread group ID)
ptrace.tracee.ancestors.ppidintParent process ID
ptrace.tracee.ancestors.tidintThread ID of the thread
ptrace.tracee.ancestors.tty_namestringName of the TTY associated with the process
ptrace.tracee.ancestors.uidintUID of the process
ptrace.tracee.ancestors.userstringUser of the process
ptrace.tracee.argsstringArguments of the process (as a string)
ptrace.tracee.args_flagsstringArguments of the process (as an array)
ptrace.tracee.args_optionsstringArguments of the process (as an array)
ptrace.tracee.args_truncatedboolIndicator of arguments truncation
ptrace.tracee.argvstringArguments of the process (as an array)
ptrace.tracee.argv0stringFirst argument of the process
ptrace.tracee.cap_effectiveintEffective capability set of the processKernel Capability constants
ptrace.tracee.cap_permittedintPermitted capability set of the processKernel Capability constants
ptrace.tracee.commstringComm attribute of the process
ptrace.tracee.container.idstringContainer ID
ptrace.tracee.cookieintCookie of the process
ptrace.tracee.created_atintTimestamp of the creation of the process
ptrace.tracee.egidintEffective GID of the process
ptrace.tracee.egroupstringEffective group of the process
ptrace.tracee.envpstringEnvironment variables of the process
ptrace.tracee.envsstringEnvironment variable names of the process
ptrace.tracee.envs_truncatedboolIndicator of environment variables truncation
ptrace.tracee.euidintEffective UID of the process
ptrace.tracee.euserstringEffective user of the process
ptrace.tracee.file.change_timeintChange time of the file
ptrace.tracee.file.filesystemstringFile’s filesystem
ptrace.tracee.file.gidintGID of the file’s owner
ptrace.tracee.file.groupstringGroup of the file’s owner
ptrace.tracee.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.file.inodeintInode of the file
ptrace.tracee.file.modeintMode/rights of the fileChmod mode constants
ptrace.tracee.file.modification_timeintModification time of the file
ptrace.tracee.file.mount_idintMount ID of the file
ptrace.tracee.file.namestringFile’s basename
ptrace.tracee.file.name.lengthintLength of ‘ptrace.tracee.file.name’ string
ptrace.tracee.file.pathstringFile’s path
ptrace.tracee.file.path.lengthintLength of ‘ptrace.tracee.file.path’ string
ptrace.tracee.file.rightsintMode/rights of the fileChmod mode constants
ptrace.tracee.file.uidintUID of the file’s owner
ptrace.tracee.file.userstringUser of the file’s owner
ptrace.tracee.fsgidintFileSystem-gid of the process
ptrace.tracee.fsgroupstringFileSystem-group of the process
ptrace.tracee.fsuidintFileSystem-uid of the process
ptrace.tracee.fsuserstringFileSystem-user of the process
ptrace.tracee.gidintGID of the process
ptrace.tracee.groupstringGroup of the process
ptrace.tracee.interpreter.file.change_timeintChange time of the file
ptrace.tracee.interpreter.file.filesystemstringFile’s filesystem
ptrace.tracee.interpreter.file.gidintGID of the file’s owner
ptrace.tracee.interpreter.file.groupstringGroup of the file’s owner
ptrace.tracee.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.interpreter.file.inodeintInode of the file
ptrace.tracee.interpreter.file.modeintMode/rights of the fileChmod mode constants
ptrace.tracee.interpreter.file.modification_timeintModification time of the file
ptrace.tracee.interpreter.file.mount_idintMount ID of the file
ptrace.tracee.interpreter.file.namestringFile’s basename
ptrace.tracee.interpreter.file.name.lengthintLength of ‘ptrace.tracee.interpreter.file.name’ string
ptrace.tracee.interpreter.file.pathstringFile’s path
ptrace.tracee.interpreter.file.path.lengthintLength of ‘ptrace.tracee.interpreter.file.path’ string
ptrace.tracee.interpreter.file.rightsintMode/rights of the fileChmod mode constants
ptrace.tracee.interpreter.file.uidintUID of the file’s owner
ptrace.tracee.interpreter.file.userstringUser of the file’s owner
ptrace.tracee.is_kworkerboolIndicates whether the process is a kworker
ptrace.tracee.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
ptrace.tracee.parent.argsstringArguments of the process (as a string)
ptrace.tracee.parent.args_flagsstringArguments of the process (as an array)
ptrace.tracee.parent.args_optionsstringArguments of the process (as an array)
ptrace.tracee.parent.args_truncatedboolIndicator of arguments truncation
ptrace.tracee.parent.argvstringArguments of the process (as an array)
ptrace.tracee.parent.argv0stringFirst argument of the process
ptrace.tracee.parent.cap_effectiveintEffective capability set of the processKernel Capability constants
ptrace.tracee.parent.cap_permittedintPermitted capability set of the processKernel Capability constants
ptrace.tracee.parent.commstringComm attribute of the process
ptrace.tracee.parent.container.idstringContainer ID
ptrace.tracee.parent.cookieintCookie of the process
ptrace.tracee.parent.created_atintTimestamp of the creation of the process
ptrace.tracee.parent.egidintEffective GID of the process
ptrace.tracee.parent.egroupstringEffective group of the process
ptrace.tracee.parent.envpstringEnvironment variables of the process
ptrace.tracee.parent.envsstringEnvironment variable names of the process
ptrace.tracee.parent.envs_truncatedboolIndicator of environment variables truncation
ptrace.tracee.parent.euidintEffective UID of the process
ptrace.tracee.parent.euserstringEffective user of the process
ptrace.tracee.parent.file.change_timeintChange time of the file
ptrace.tracee.parent.file.filesystemstringFile’s filesystem
ptrace.tracee.parent.file.gidintGID of the file’s owner
ptrace.tracee.parent.file.groupstringGroup of the file’s owner
ptrace.tracee.parent.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.parent.file.inodeintInode of the file
ptrace.tracee.parent.file.modeintMode/rights of the fileChmod mode constants
ptrace.tracee.parent.file.modification_timeintModification time of the file
ptrace.tracee.parent.file.mount_idintMount ID of the file
ptrace.tracee.parent.file.namestringFile’s basename
ptrace.tracee.parent.file.name.lengthintLength of ‘ptrace.tracee.parent.file.name’ string
ptrace.tracee.parent.file.pathstringFile’s path
ptrace.tracee.parent.file.path.lengthintLength of ‘ptrace.tracee.parent.file.path’ string
ptrace.tracee.parent.file.rightsintMode/rights of the fileChmod mode constants
ptrace.tracee.parent.file.uidintUID of the file’s owner
ptrace.tracee.parent.file.userstringUser of the file’s owner
ptrace.tracee.parent.fsgidintFileSystem-gid of the process
ptrace.tracee.parent.fsgroupstringFileSystem-group of the process
ptrace.tracee.parent.fsuidintFileSystem-uid of the process
ptrace.tracee.parent.fsuserstringFileSystem-user of the process
ptrace.tracee.parent.gidintGID of the process
ptrace.tracee.parent.groupstringGroup of the process
ptrace.tracee.parent.interpreter.file.change_timeintChange time of the file
ptrace.tracee.parent.interpreter.file.filesystemstringFile’s filesystem
ptrace.tracee.parent.interpreter.file.gidintGID of the file’s owner
ptrace.tracee.parent.interpreter.file.groupstringGroup of the file’s owner
ptrace.tracee.parent.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.parent.interpreter.file.inodeintInode of the file
ptrace.tracee.parent.interpreter.file.modeintMode/rights of the fileChmod mode constants
ptrace.tracee.parent.interpreter.file.modification_timeintModification time of the file
ptrace.tracee.parent.interpreter.file.mount_idintMount ID of the file
ptrace.tracee.parent.interpreter.file.namestringFile’s basename
ptrace.tracee.parent.interpreter.file.name.lengthintLength of ‘ptrace.tracee.parent.interpreter.file.name’ string
ptrace.tracee.parent.interpreter.file.pathstringFile’s path
ptrace.tracee.parent.interpreter.file.path.lengthintLength of ‘ptrace.tracee.parent.interpreter.file.path’ string
ptrace.tracee.parent.interpreter.file.rightsintMode/rights of the fileChmod mode constants
ptrace.tracee.parent.interpreter.file.uidintUID of the file’s owner
ptrace.tracee.parent.interpreter.file.userstringUser of the file’s owner
ptrace.tracee.parent.is_kworkerboolIndicates whether the process is a kworker
ptrace.tracee.parent.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
ptrace.tracee.parent.pidintProcess ID of the process (also called thread group ID)
ptrace.tracee.parent.ppidintParent process ID
ptrace.tracee.parent.tidintThread ID of the thread
ptrace.tracee.parent.tty_namestringName of the TTY associated with the process
ptrace.tracee.parent.uidintUID of the process
ptrace.tracee.parent.userstringUser of the process
ptrace.tracee.pidintProcess ID of the process (also called thread group ID)
ptrace.tracee.ppidintParent process ID
ptrace.tracee.tidintThread ID of the thread
ptrace.tracee.tty_namestringName of the TTY associated with the process
ptrace.tracee.uidintUID of the process
ptrace.tracee.userstringUser of the process

Event removexattr

Remove extended attributes

PropertyTypeDefinitionConstants
removexattr.file.change_timeintChange time of the file
removexattr.file.destination.namestringName of the extended attribute
removexattr.file.destination.namespacestringNamespace of the extended attribute
removexattr.file.filesystemstringFile’s filesystem
removexattr.file.gidintGID of the file’s owner
removexattr.file.groupstringGroup of the file’s owner
removexattr.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
removexattr.file.inodeintInode of the file
removexattr.file.modeintMode/rights of the fileChmod mode constants
removexattr.file.modification_timeintModification time of the file
removexattr.file.mount_idintMount ID of the file
removexattr.file.namestringFile’s basename
removexattr.file.name.lengthintLength of ‘removexattr.file.name’ string
removexattr.file.pathstringFile’s path
removexattr.file.path.lengthintLength of ‘removexattr.file.path’ string
removexattr.file.rightsintMode/rights of the fileChmod mode constants
removexattr.file.uidintUID of the file’s owner
removexattr.file.userstringUser of the file’s owner
removexattr.retvalintReturn value of the syscallError Constants

Event rename

A file/directory was renamed

PropertyTypeDefinitionConstants
rename.file.change_timeintChange time of the file
rename.file.destination.change_timeintChange time of the file
rename.file.destination.filesystemstringFile’s filesystem
rename.file.destination.gidintGID of the file’s owner
rename.file.destination.groupstringGroup of the file’s owner
rename.file.destination.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
rename.file.destination.inodeintInode of the file
rename.file.destination.modeintMode/rights of the fileChmod mode constants
rename.file.destination.modification_timeintModification time of the file
rename.file.destination.mount_idintMount ID of the file
rename.file.destination.namestringFile’s basename
rename.file.destination.name.lengthintLength of ‘rename.file.destination.name’ string
rename.file.destination.pathstringFile’s path
rename.file.destination.path.lengthintLength of ‘rename.file.destination.path’ string
rename.file.destination.rightsintMode/rights of the fileChmod mode constants
rename.file.destination.uidintUID of the file’s owner
rename.file.destination.userstringUser of the file’s owner
rename.file.filesystemstringFile’s filesystem
rename.file.gidintGID of the file’s owner
rename.file.groupstringGroup of the file’s owner
rename.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
rename.file.inodeintInode of the file
rename.file.modeintMode/rights of the fileChmod mode constants
rename.file.modification_timeintModification time of the file
rename.file.mount_idintMount ID of the file
rename.file.namestringFile’s basename
rename.file.name.lengthintLength of ‘rename.file.name’ string
rename.file.pathstringFile’s path
rename.file.path.lengthintLength of ‘rename.file.path’ string
rename.file.rightsintMode/rights of the fileChmod mode constants
rename.file.uidintUID of the file’s owner
rename.file.userstringUser of the file’s owner
rename.retvalintReturn value of the syscallError Constants

Event rmdir

A directory was removed

PropertyTypeDefinitionConstants
rmdir.file.change_timeintChange time of the file
rmdir.file.filesystemstringFile’s filesystem
rmdir.file.gidintGID of the file’s owner
rmdir.file.groupstringGroup of the file’s owner
rmdir.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
rmdir.file.inodeintInode of the file
rmdir.file.modeintMode/rights of the fileChmod mode constants
rmdir.file.modification_timeintModification time of the file
rmdir.file.mount_idintMount ID of the file
rmdir.file.namestringFile’s basename
rmdir.file.name.lengthintLength of ‘rmdir.file.name’ string
rmdir.file.pathstringFile’s path
rmdir.file.path.lengthintLength of ‘rmdir.file.path’ string
rmdir.file.rightsintMode/rights of the fileChmod mode constants
rmdir.file.uidintUID of the file’s owner
rmdir.file.userstringUser of the file’s owner
rmdir.retvalintReturn value of the syscallError Constants

Event selinux

An SELinux operation was run

PropertyTypeDefinitionConstants
selinux.bool.namestringSELinux boolean name
selinux.bool.statestringSELinux boolean new value
selinux.bool_commit.stateboolIndicator of a SELinux boolean commit operation
selinux.enforce.statusstringSELinux enforcement status (one of “enforcing”, “permissive”, “disabled”")

Event setgid

A process changed its effective gid

PropertyTypeDefinitionConstants
setgid.egidintNew effective GID of the process
setgid.egroupstringNew effective group of the process
setgid.fsgidintNew FileSystem GID of the process
setgid.fsgroupstringNew FileSystem group of the process
setgid.gidintNew GID of the process
setgid.groupstringNew group of the process

Event setuid

A process changed its effective uid

PropertyTypeDefinitionConstants
setuid.euidintNew effective UID of the process
setuid.euserstringNew effective user of the process
setuid.fsuidintNew FileSystem UID of the process
setuid.fsuserstringNew FileSystem user of the process
setuid.uidintNew UID of the process
setuid.userstringNew user of the process

Event setxattr

Set exteneded attributes

PropertyTypeDefinitionConstants
setxattr.file.change_timeintChange time of the file
setxattr.file.destination.namestringName of the extended attribute
setxattr.file.destination.namespacestringNamespace of the extended attribute
setxattr.file.filesystemstringFile’s filesystem
setxattr.file.gidintGID of the file’s owner
setxattr.file.groupstringGroup of the file’s owner
setxattr.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
setxattr.file.inodeintInode of the file
setxattr.file.modeintMode/rights of the fileChmod mode constants
setxattr.file.modification_timeintModification time of the file
setxattr.file.mount_idintMount ID of the file
setxattr.file.namestringFile’s basename
setxattr.file.name.lengthintLength of ‘setxattr.file.name’ string
setxattr.file.pathstringFile’s path
setxattr.file.path.lengthintLength of ‘setxattr.file.path’ string
setxattr.file.rightsintMode/rights of the fileChmod mode constants
setxattr.file.uidintUID of the file’s owner
setxattr.file.userstringUser of the file’s owner
setxattr.retvalintReturn value of the syscallError Constants

Event signal

A signal was sent

PropertyTypeDefinitionConstants
signal.pidintTarget PID
signal.retvalintReturn value of the syscallError Constants
signal.target.ancestors.argsstringArguments of the process (as a string)
signal.target.ancestors.args_flagsstringArguments of the process (as an array)
signal.target.ancestors.args_optionsstringArguments of the process (as an array)
signal.target.ancestors.args_truncatedboolIndicator of arguments truncation
signal.target.ancestors.argvstringArguments of the process (as an array)
signal.target.ancestors.argv0stringFirst argument of the process
signal.target.ancestors.cap_effectiveintEffective capability set of the processKernel Capability constants
signal.target.ancestors.cap_permittedintPermitted capability set of the processKernel Capability constants
signal.target.ancestors.commstringComm attribute of the process
signal.target.ancestors.container.idstringContainer ID
signal.target.ancestors.cookieintCookie of the process
signal.target.ancestors.created_atintTimestamp of the creation of the process
signal.target.ancestors.egidintEffective GID of the process
signal.target.ancestors.egroupstringEffective group of the process
signal.target.ancestors.envpstringEnvironment variables of the process
signal.target.ancestors.envsstringEnvironment variable names of the process
signal.target.ancestors.envs_truncatedboolIndicator of environment variables truncation
signal.target.ancestors.euidintEffective UID of the process
signal.target.ancestors.euserstringEffective user of the process
signal.target.ancestors.file.change_timeintChange time of the file
signal.target.ancestors.file.filesystemstringFile’s filesystem
signal.target.ancestors.file.gidintGID of the file’s owner
signal.target.ancestors.file.groupstringGroup of the file’s owner
signal.target.ancestors.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
signal.target.ancestors.file.inodeintInode of the file
signal.target.ancestors.file.modeintMode/rights of the fileChmod mode constants
signal.target.ancestors.file.modification_timeintModification time of the file
signal.target.ancestors.file.mount_idintMount ID of the file
signal.target.ancestors.file.namestringFile’s basename
signal.target.ancestors.file.name.lengthintLength of ‘signal.target.ancestors.file.name’ string
signal.target.ancestors.file.pathstringFile’s path
signal.target.ancestors.file.path.lengthintLength of ‘signal.target.ancestors.file.path’ string
signal.target.ancestors.file.rightsintMode/rights of the fileChmod mode constants
signal.target.ancestors.file.uidintUID of the file’s owner
signal.target.ancestors.file.userstringUser of the file’s owner
signal.target.ancestors.fsgidintFileSystem-gid of the process
signal.target.ancestors.fsgroupstringFileSystem-group of the process
signal.target.ancestors.fsuidintFileSystem-uid of the process
signal.target.ancestors.fsuserstringFileSystem-user of the process
signal.target.ancestors.gidintGID of the process
signal.target.ancestors.groupstringGroup of the process
signal.target.ancestors.interpreter.file.change_timeintChange time of the file
signal.target.ancestors.interpreter.file.filesystemstringFile’s filesystem
signal.target.ancestors.interpreter.file.gidintGID of the file’s owner
signal.target.ancestors.interpreter.file.groupstringGroup of the file’s owner
signal.target.ancestors.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
signal.target.ancestors.interpreter.file.inodeintInode of the file
signal.target.ancestors.interpreter.file.modeintMode/rights of the fileChmod mode constants
signal.target.ancestors.interpreter.file.modification_timeintModification time of the file
signal.target.ancestors.interpreter.file.mount_idintMount ID of the file
signal.target.ancestors.interpreter.file.namestringFile’s basename
signal.target.ancestors.interpreter.file.name.lengthintLength of ‘signal.target.ancestors.interpreter.file.name’ string
signal.target.ancestors.interpreter.file.pathstringFile’s path
signal.target.ancestors.interpreter.file.path.lengthintLength of ‘signal.target.ancestors.interpreter.file.path’ string
signal.target.ancestors.interpreter.file.rightsintMode/rights of the fileChmod mode constants
signal.target.ancestors.interpreter.file.uidintUID of the file’s owner
signal.target.ancestors.interpreter.file.userstringUser of the file’s owner
signal.target.ancestors.is_kworkerboolIndicates whether the process is a kworker
signal.target.ancestors.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
signal.target.ancestors.pidintProcess ID of the process (also called thread group ID)
signal.target.ancestors.ppidintParent process ID
signal.target.ancestors.tidintThread ID of the thread
signal.target.ancestors.tty_namestringName of the TTY associated with the process
signal.target.ancestors.uidintUID of the process
signal.target.ancestors.userstringUser of the process
signal.target.argsstringArguments of the process (as a string)
signal.target.args_flagsstringArguments of the process (as an array)
signal.target.args_optionsstringArguments of the process (as an array)
signal.target.args_truncatedboolIndicator of arguments truncation
signal.target.argvstringArguments of the process (as an array)
signal.target.argv0stringFirst argument of the process
signal.target.cap_effectiveintEffective capability set of the processKernel Capability constants
signal.target.cap_permittedintPermitted capability set of the processKernel Capability constants
signal.target.commstringComm attribute of the process
signal.target.container.idstringContainer ID
signal.target.cookieintCookie of the process
signal.target.created_atintTimestamp of the creation of the process
signal.target.egidintEffective GID of the process
signal.target.egroupstringEffective group of the process
signal.target.envpstringEnvironment variables of the process
signal.target.envsstringEnvironment variable names of the process
signal.target.envs_truncatedboolIndicator of environment variables truncation
signal.target.euidintEffective UID of the process
signal.target.euserstringEffective user of the process
signal.target.file.change_timeintChange time of the file
signal.target.file.filesystemstringFile’s filesystem
signal.target.file.gidintGID of the file’s owner
signal.target.file.groupstringGroup of the file’s owner
signal.target.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
signal.target.file.inodeintInode of the file
signal.target.file.modeintMode/rights of the fileChmod mode constants
signal.target.file.modification_timeintModification time of the file
signal.target.file.mount_idintMount ID of the file
signal.target.file.namestringFile’s basename
signal.target.file.name.lengthintLength of ‘signal.target.file.name’ string
signal.target.file.pathstringFile’s path
signal.target.file.path.lengthintLength of ‘signal.target.file.path’ string
signal.target.file.rightsintMode/rights of the fileChmod mode constants
signal.target.file.uidintUID of the file’s owner
signal.target.file.userstringUser of the file’s owner
signal.target.fsgidintFileSystem-gid of the process
signal.target.fsgroupstringFileSystem-group of the process
signal.target.fsuidintFileSystem-uid of the process
signal.target.fsuserstringFileSystem-user of the process
signal.target.gidintGID of the process
signal.target.groupstringGroup of the process
signal.target.interpreter.file.change_timeintChange time of the file
signal.target.interpreter.file.filesystemstringFile’s filesystem
signal.target.interpreter.file.gidintGID of the file’s owner
signal.target.interpreter.file.groupstringGroup of the file’s owner
signal.target.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
signal.target.interpreter.file.inodeintInode of the file
signal.target.interpreter.file.modeintMode/rights of the fileChmod mode constants
signal.target.interpreter.file.modification_timeintModification time of the file
signal.target.interpreter.file.mount_idintMount ID of the file
signal.target.interpreter.file.namestringFile’s basename
signal.target.interpreter.file.name.lengthintLength of ‘signal.target.interpreter.file.name’ string
signal.target.interpreter.file.pathstringFile’s path
signal.target.interpreter.file.path.lengthintLength of ‘signal.target.interpreter.file.path’ string
signal.target.interpreter.file.rightsintMode/rights of the fileChmod mode constants
signal.target.interpreter.file.uidintUID of the file’s owner
signal.target.interpreter.file.userstringUser of the file’s owner
signal.target.is_kworkerboolIndicates whether the process is a kworker
signal.target.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
signal.target.parent.argsstringArguments of the process (as a string)
signal.target.parent.args_flagsstringArguments of the process (as an array)
signal.target.parent.args_optionsstringArguments of the process (as an array)
signal.target.parent.args_truncatedboolIndicator of arguments truncation
signal.target.parent.argvstringArguments of the process (as an array)
signal.target.parent.argv0stringFirst argument of the process
signal.target.parent.cap_effectiveintEffective capability set of the processKernel Capability constants
signal.target.parent.cap_permittedintPermitted capability set of the processKernel Capability constants
signal.target.parent.commstringComm attribute of the process
signal.target.parent.container.idstringContainer ID
signal.target.parent.cookieintCookie of the process
signal.target.parent.created_atintTimestamp of the creation of the process
signal.target.parent.egidintEffective GID of the process
signal.target.parent.egroupstringEffective group of the process
signal.target.parent.envpstringEnvironment variables of the process
signal.target.parent.envsstringEnvironment variable names of the process
signal.target.parent.envs_truncatedboolIndicator of environment variables truncation
signal.target.parent.euidintEffective UID of the process
signal.target.parent.euserstringEffective user of the process
signal.target.parent.file.change_timeintChange time of the file
signal.target.parent.file.filesystemstringFile’s filesystem
signal.target.parent.file.gidintGID of the file’s owner
signal.target.parent.file.groupstringGroup of the file’s owner
signal.target.parent.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
signal.target.parent.file.inodeintInode of the file
signal.target.parent.file.modeintMode/rights of the fileChmod mode constants
signal.target.parent.file.modification_timeintModification time of the file
signal.target.parent.file.mount_idintMount ID of the file
signal.target.parent.file.namestringFile’s basename
signal.target.parent.file.name.lengthintLength of ‘signal.target.parent.file.name’ string
signal.target.parent.file.pathstringFile’s path
signal.target.parent.file.path.lengthintLength of ‘signal.target.parent.file.path’ string
signal.target.parent.file.rightsintMode/rights of the fileChmod mode constants
signal.target.parent.file.uidintUID of the file’s owner
signal.target.parent.file.userstringUser of the file’s owner
signal.target.parent.fsgidintFileSystem-gid of the process
signal.target.parent.fsgroupstringFileSystem-group of the process
signal.target.parent.fsuidintFileSystem-uid of the process
signal.target.parent.fsuserstringFileSystem-user of the process
signal.target.parent.gidintGID of the process
signal.target.parent.groupstringGroup of the process
signal.target.parent.interpreter.file.change_timeintChange time of the file
signal.target.parent.interpreter.file.filesystemstringFile’s filesystem
signal.target.parent.interpreter.file.gidintGID of the file’s owner
signal.target.parent.interpreter.file.groupstringGroup of the file’s owner
signal.target.parent.interpreter.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
signal.target.parent.interpreter.file.inodeintInode of the file
signal.target.parent.interpreter.file.modeintMode/rights of the fileChmod mode constants
signal.target.parent.interpreter.file.modification_timeintModification time of the file
signal.target.parent.interpreter.file.mount_idintMount ID of the file
signal.target.parent.interpreter.file.namestringFile’s basename
signal.target.parent.interpreter.file.name.lengthintLength of ‘signal.target.parent.interpreter.file.name’ string
signal.target.parent.interpreter.file.pathstringFile’s path
signal.target.parent.interpreter.file.path.lengthintLength of ‘signal.target.parent.interpreter.file.path’ string
signal.target.parent.interpreter.file.rightsintMode/rights of the fileChmod mode constants
signal.target.parent.interpreter.file.uidintUID of the file’s owner
signal.target.parent.interpreter.file.userstringUser of the file’s owner
signal.target.parent.is_kworkerboolIndicates whether the process is a kworker
signal.target.parent.is_threadboolIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
signal.target.parent.pidintProcess ID of the process (also called thread group ID)
signal.target.parent.ppidintParent process ID
signal.target.parent.tidintThread ID of the thread
signal.target.parent.tty_namestringName of the TTY associated with the process
signal.target.parent.uidintUID of the process
signal.target.parent.userstringUser of the process
signal.target.pidintProcess ID of the process (also called thread group ID)
signal.target.ppidintParent process ID
signal.target.tidintThread ID of the thread
signal.target.tty_namestringName of the TTY associated with the process
signal.target.uidintUID of the process
signal.target.userstringUser of the process
signal.typeintSignal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)Signal constants

Event splice

A splice command was executed

PropertyTypeDefinitionConstants
splice.file.change_timeintChange time of the file
splice.file.filesystemstringFile’s filesystem
splice.file.gidintGID of the file’s owner
splice.file.groupstringGroup of the file’s owner
splice.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
splice.file.inodeintInode of the file
splice.file.modeintMode/rights of the fileChmod mode constants
splice.file.modification_timeintModification time of the file
splice.file.mount_idintMount ID of the file
splice.file.namestringFile’s basename
splice.file.name.lengthintLength of ‘splice.file.name’ string
splice.file.pathstringFile’s path
splice.file.path.lengthintLength of ‘splice.file.path’ string
splice.file.rightsintMode/rights of the fileChmod mode constants
splice.file.uidintUID of the file’s owner
splice.file.userstringUser of the file’s owner
splice.pipe_entry_flagintEntry flag of the “fd_out” pipe passed to the splice syscallPipe buffer flags
splice.pipe_exit_flagintExit flag of the “fd_out” pipe passed to the splice syscallPipe buffer flags
splice.retvalintReturn value of the syscallError Constants

A file was deleted

PropertyTypeDefinitionConstants
unlink.file.change_timeintChange time of the file
unlink.file.filesystemstringFile’s filesystem
unlink.file.gidintGID of the file’s owner
unlink.file.groupstringGroup of the file’s owner
unlink.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
unlink.file.inodeintInode of the file
unlink.file.modeintMode/rights of the fileChmod mode constants
unlink.file.modification_timeintModification time of the file
unlink.file.mount_idintMount ID of the file
unlink.file.namestringFile’s basename
unlink.file.name.lengthintLength of ‘unlink.file.name’ string
unlink.file.pathstringFile’s path
unlink.file.path.lengthintLength of ‘unlink.file.path’ string
unlink.file.rightsintMode/rights of the fileChmod mode constants
unlink.file.uidintUID of the file’s owner
unlink.file.userstringUser of the file’s owner
unlink.flagsintUnlink flags
unlink.retvalintReturn value of the syscallError Constants

Event unload_module

A kernel module was deleted

PropertyTypeDefinitionConstants
unload_module.namestringName of the kernel module that was deleted
unload_module.retvalintReturn value of the syscallError Constants

Event utimes

Change file access/modification times

PropertyTypeDefinitionConstants
utimes.file.change_timeintChange time of the file
utimes.file.filesystemstringFile’s filesystem
utimes.file.gidintGID of the file’s owner
utimes.file.groupstringGroup of the file’s owner
utimes.file.in_upper_layerboolIndicator of the file layer, for example, in an OverlayFS
utimes.file.inodeintInode of the file
utimes.file.modeintMode/rights of the fileChmod mode constants
utimes.file.modification_timeintModification time of the file
utimes.file.mount_idintMount ID of the file
utimes.file.namestringFile’s basename
utimes.file.name.lengthintLength of ‘utimes.file.name’ string
utimes.file.pathstringFile’s path
utimes.file.path.lengthintLength of ‘utimes.file.path’ string
utimes.file.rightsintMode/rights of the fileChmod mode constants
utimes.file.uidintUID of the file’s owner
utimes.file.userstringUser of the file’s owner
utimes.retvalintReturn value of the syscallError Constants

Constants

Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.

BPF attach types

BPF attach types are the supported eBPF program attach types.

NameArchitectures
BPF_CGROUP_INET_INGRESSall
BPF_CGROUP_INET_EGRESSall
BPF_CGROUP_INET_SOCK_CREATEall
BPF_CGROUP_SOCK_OPSall
BPF_SK_SKB_STREAM_PARSERall
BPF_SK_SKB_STREAM_VERDICTall
BPF_CGROUP_DEVICEall
BPF_SK_MSG_VERDICTall
BPF_CGROUP_INET4_BINDall
BPF_CGROUP_INET6_BINDall
BPF_CGROUP_INET4_CONNECTall
BPF_CGROUP_INET6_CONNECTall
BPF_CGROUP_INET4_POST_BINDall
BPF_CGROUP_INET6_POST_BINDall
BPF_CGROUP_UDP4_SENDMSGall
BPF_CGROUP_UDP6_SENDMSGall
BPF_LIRC_MODE2all
BPF_FLOW_DISSECTORall
BPF_CGROUP_SYSCTLall
BPF_CGROUP_UDP4_RECVMSGall
BPF_CGROUP_UDP6_RECVMSGall
BPF_CGROUP_GETSOCKOPTall
BPF_CGROUP_SETSOCKOPTall
BPF_TRACE_RAW_TPall
BPF_TRACE_FENTRYall
BPF_TRACE_FEXITall
BPF_MODIFY_RETURNall
BPF_LSM_MACall
BPF_TRACE_ITERall
BPF_CGROUP_INET4_GETPEERNAMEall
BPF_CGROUP_INET6_GETPEERNAMEall
BPF_CGROUP_INET4_GETSOCKNAMEall
BPF_CGROUP_INET6_GETSOCKNAMEall
BPF_XDP_DEVMAPall
BPF_CGROUP_INET_SOCK_RELEASEall
BPF_XDP_CPUMAPall
BPF_SK_LOOKUPall
BPF_XDPall
BPF_SK_SKB_VERDICTall

BPF commands

BPF commands are used to specify a command to a bpf syscall.

NameArchitectures
BPF_MAP_CREATEall
BPF_MAP_LOOKUP_ELEMall
BPF_MAP_UPDATE_ELEMall
BPF_MAP_DELETE_ELEMall
BPF_MAP_GET_NEXT_KEYall
BPF_PROG_LOADall
BPF_OBJ_PINall
BPF_OBJ_GETall
BPF_PROG_ATTACHall
BPF_PROG_DETACHall
BPF_PROG_TEST_RUNall
BPF_PROG_RUNall
BPF_PROG_GET_NEXT_IDall
BPF_MAP_GET_NEXT_IDall
BPF_PROG_GET_FD_BY_IDall
BPF_MAP_GET_FD_BY_IDall
BPF_OBJ_GET_INFO_BY_FDall
BPF_PROG_QUERYall
BPF_RAW_TRACEPOINT_OPENall
BPF_BTF_LOADall
BPF_BTF_GET_FD_BY_IDall
BPF_TASK_FD_QUERYall
BPF_MAP_LOOKUP_AND_DELETE_ELEMall
BPF_MAP_FREEZEall
BPF_BTF_GET_NEXT_IDall
BPF_MAP_LOOKUP_BATCHall
BPF_MAP_LOOKUP_AND_DELETE_BATCHall
BPF_MAP_UPDATE_BATCHall
BPF_MAP_DELETE_BATCHall
BPF_LINK_CREATEall
BPF_LINK_UPDATEall
BPF_LINK_GET_FD_BY_IDall
BPF_LINK_GET_NEXT_IDall
BPF_ENABLE_STATSall
BPF_ITER_CREATEall
BPF_LINK_DETACHall
BPF_PROG_BIND_MAPall

BPF helper functions

BPF helper functions are the supported BPF helper functions.

NameArchitectures
BPF_UNSPECall
BPF_MAP_LOOKUP_ELEMall
BPF_MAP_UPDATE_ELEMall
BPF_MAP_DELETE_ELEMall
BPF_PROBE_READall
BPF_KTIME_GET_NSall
BPF_TRACE_PRINTKall
BPF_GET_PRANDOM_U32all
BPF_GET_SMP_PROCESSOR_IDall
BPF_SKB_STORE_BYTESall
BPF_L3_CSUM_REPLACEall
BPF_L4_CSUM_REPLACEall
BPF_TAIL_CALLall
BPF_CLONE_REDIRECTall
BPF_GET_CURRENT_PID_TGIDall
BPF_GET_CURRENT_UID_GIDall
BPF_GET_CURRENT_COMMall
BPF_GET_CGROUP_CLASSIDall
BPF_SKB_VLAN_PUSHall
BPF_SKB_VLAN_POPall
BPF_SKB_GET_TUNNEL_KEYall
BPF_SKB_SET_TUNNEL_KEYall
BPF_PERF_EVENT_READall
BPF_REDIRECTall
BPF_GET_ROUTE_REALMall
BPF_PERF_EVENT_OUTPUTall
BPF_SKB_LOAD_BYTESall
BPF_GET_STACKIDall
BPF_CSUM_DIFFall
BPF_SKB_GET_TUNNEL_OPTall
BPF_SKB_SET_TUNNEL_OPTall
BPF_SKB_CHANGE_PROTOall
BPF_SKB_CHANGE_TYPEall
BPF_SKB_UNDER_CGROUPall
BPF_GET_HASH_RECALCall
BPF_GET_CURRENT_TASKall
BPF_PROBE_WRITE_USERall
BPF_CURRENT_TASK_UNDER_CGROUPall
BPF_SKB_CHANGE_TAILall
BPF_SKB_PULL_DATAall
BPF_CSUM_UPDATEall
BPF_SET_HASH_INVALIDall
BPF_GET_NUMA_NODE_IDall
BPF_SKB_CHANGE_HEADall
BPF_XDP_ADJUST_HEADall
BPF_PROBE_READ_STRall
BPF_GET_SOCKET_COOKIEall
BPF_GET_SOCKET_UIDall
BPF_SET_HASHall
BPF_SETSOCKOPTall
BPF_SKB_ADJUST_ROOMall
BPF_REDIRECT_MAPall
BPF_SK_REDIRECT_MAPall
BPF_SOCK_MAP_UPDATEall
BPF_XDP_ADJUST_METAall
BPF_PERF_EVENT_READ_VALUEall
BPF_PERF_PROG_READ_VALUEall
BPF_GETSOCKOPTall
BPF_OVERRIDE_RETURNall
BPF_SOCK_OPS_CB_FLAGS_SETall
BPF_MSG_REDIRECT_MAPall
BPF_MSG_APPLY_BYTESall
BPF_MSG_CORK_BYTESall
BPF_MSG_PULL_DATAall
BPF_BINDall
BPF_XDP_ADJUST_TAILall
BPF_SKB_GET_XFRM_STATEall
BPF_GET_STACKall
BPF_SKB_LOAD_BYTES_RELATIVEall
BPF_FIB_LOOKUPall
BPF_SOCK_HASH_UPDATEall
BPF_MSG_REDIRECT_HASHall
BPF_SK_REDIRECT_HASHall
BPF_LWT_PUSH_ENCAPall
BPF_LWT_SEG6_STORE_BYTESall
BPF_LWT_SEG6_ADJUST_SRHall
BPF_LWT_SEG6_ACTIONall
BPF_RC_REPEATall
BPF_RC_KEYDOWNall
BPF_SKB_CGROUP_IDall
BPF_GET_CURRENT_CGROUP_IDall
BPF_GET_LOCAL_STORAGEall
BPF_SK_SELECT_REUSEPORTall
BPF_SKB_ANCESTOR_CGROUP_IDall
BPF_SK_LOOKUP_TCPall
BPF_SK_LOOKUP_UDPall
BPF_SK_RELEASEall
BPF_MAP_PUSH_ELEMall
BPF_MAP_POP_ELEMall
BPF_MAP_PEEK_ELEMall
BPF_MSG_PUSH_DATAall
BPF_MSG_POP_DATAall
BPF_RC_POINTER_RELall
BPF_SPIN_LOCKall
BPF_SPIN_UNLOCKall
BPF_SK_FULLSOCKall
BPF_TCP_SOCKall
BPF_SKB_ECN_SET_CEall
BPF_GET_LISTENER_SOCKall
BPF_SKC_LOOKUP_TCPall
BPF_TCP_CHECK_SYNCOOKIEall
BPF_SYSCTL_GET_NAMEall
BPF_SYSCTL_GET_CURRENT_VALUEall
BPF_SYSCTL_GET_NEW_VALUEall
BPF_SYSCTL_SET_NEW_VALUEall
BPF_STRTOLall
BPF_STRTOULall
BPF_SK_STORAGE_GETall
BPF_SK_STORAGE_DELETEall
BPF_SEND_SIGNALall
BPF_TCP_GEN_SYNCOOKIEall
BPF_SKB_OUTPUTall
BPF_PROBE_READ_USERall
BPF_PROBE_READ_KERNELall
BPF_PROBE_READ_USER_STRall
BPF_PROBE_READ_KERNEL_STRall
BPF_TCP_SEND_ACKall
BPF_SEND_SIGNAL_THREADall
BPF_JIFFIES64all
BPF_READ_BRANCH_RECORDSall
BPF_GET_NS_CURRENT_PID_TGIDall
BPF_XDP_OUTPUTall
BPF_GET_NETNS_COOKIEall
BPF_GET_CURRENT_ANCESTOR_CGROUP_IDall
BPF_SK_ASSIGNall
BPF_KTIME_GET_BOOT_NSall
BPF_SEQ_PRINTFall
BPF_SEQ_WRITEall
BPF_SK_CGROUP_IDall
BPF_SK_ANCESTOR_CGROUP_IDall
BPF_RINGBUF_OUTPUTall
BPF_RINGBUF_RESERVEall
BPF_RINGBUF_SUBMITall
BPF_RINGBUF_DISCARDall
BPF_RINGBUF_QUERYall
BPF_CSUM_LEVELall
BPF_SKC_TO_TCP6_SOCKall
BPF_SKC_TO_TCP_SOCKall
BPF_SKC_TO_TCP_TIMEWAIT_SOCKall
BPF_SKC_TO_TCP_REQUEST_SOCKall
BPF_SKC_TO_UDP6_SOCKall
BPF_GET_TASK_STACKall
BPF_LOAD_HDR_OPTall
BPF_STORE_HDR_OPTall
BPF_RESERVE_HDR_OPTall
BPF_INODE_STORAGE_GETall
BPF_INODE_STORAGE_DELETEall
BPF_D_PATHall
BPF_COPY_FROM_USERall
BPF_SNPRINTF_BTFall
BPF_SEQ_PRINTF_BTFall
BPF_SKB_CGROUP_CLASSIDall
BPF_REDIRECT_NEIGHall
BPF_PER_CPU_PTRall
BPF_THIS_CPU_PTRall
BPF_REDIRECT_PEERall
BPF_TASK_STORAGE_GETall
BPF_TASK_STORAGE_DELETEall
BPF_GET_CURRENT_TASK_BTFall
BPF_BPRM_OPTS_SETall
BPF_KTIME_GET_COARSE_NSall
BPF_IMA_INODE_HASHall
BPF_SOCK_FROM_FILEall
BPF_CHECK_MTUall
BPF_FOR_EACH_MAP_ELEMall
BPF_SNPRINTFall

BPF map types

BPF map types are the supported eBPF map types.

NameArchitectures
BPF_MAP_TYPE_UNSPECall
BPF_MAP_TYPE_HASHall
BPF_MAP_TYPE_ARRAYall
BPF_MAP_TYPE_PROG_ARRAYall
BPF_MAP_TYPE_PERF_EVENT_ARRAYall
BPF_MAP_TYPE_PERCPU_HASHall
BPF_MAP_TYPE_PERCPU_ARRAYall
BPF_MAP_TYPE_STACK_TRACEall
BPF_MAP_TYPE_CGROUP_ARRAYall
BPF_MAP_TYPE_LRU_HASHall
BPF_MAP_TYPE_LRU_PERCPU_HASHall
BPF_MAP_TYPE_LPM_TRIEall
BPF_MAP_TYPE_ARRAY_OF_MAPSall
BPF_MAP_TYPE_HASH_OF_MAPSall
BPF_MAP_TYPE_DEVMAPall
BPF_MAP_TYPE_SOCKMAPall
BPF_MAP_TYPE_CPUMAPall
BPF_MAP_TYPE_XSKMAPall
BPF_MAP_TYPE_SOCKHASHall
BPF_MAP_TYPE_CGROUP_STORAGEall
BPF_MAP_TYPE_REUSEPORT_SOCKARRAYall
BPF_MAP_TYPE_PERCPU_CGROUP_STORAGEall
BPF_MAP_TYPE_QUEUEall
BPF_MAP_TYPE_STACKall
BPF_MAP_TYPE_SK_STORAGEall
BPF_MAP_TYPE_DEVMAP_HASHall
BPF_MAP_TYPE_STRUCT_OPSall
BPF_MAP_TYPE_RINGBUFall
BPF_MAP_TYPE_INODE_STORAGEall
BPF_MAP_TYPE_TASK_STORAGEall

BPF program types

BPF program types are the supported eBPF program types.

NameArchitectures
BPF_PROG_TYPE_UNSPECall
BPF_PROG_TYPE_SOCKET_FILTERall
BPF_PROG_TYPE_KPROBEall
BPF_PROG_TYPE_SCHED_CLSall
BPF_PROG_TYPE_SCHED_ACTall
BPF_PROG_TYPE_TRACEPOINTall
BPF_PROG_TYPE_XDPall
BPF_PROG_TYPE_PERF_EVENTall
BPF_PROG_TYPE_CGROUP_SKBall
BPF_PROG_TYPE_CGROUP_SOCKall
BPF_PROG_TYPE_LWT_INall
BPF_PROG_TYPE_LWT_OUTall
BPF_PROG_TYPE_LWT_XMITall
BPF_PROG_TYPE_SOCK_OPSall
BPF_PROG_TYPE_SK_SKBall
BPF_PROG_TYPE_CGROUP_DEVICEall
BPF_PROG_TYPE_SK_MSGall
BPF_PROG_TYPE_RAW_TRACEPOINTall
BPF_PROG_TYPE_CGROUP_SOCK_ADDRall
BPF_PROG_TYPE_LWT_SEG6LOCALall
BPF_PROG_TYPE_LIRC_MODE2all
BPF_PROG_TYPE_SK_REUSEPORTall
BPF_PROG_TYPE_FLOW_DISSECTORall
BPF_PROG_TYPE_CGROUP_SYSCTLall
BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLEall
BPF_PROG_TYPE_CGROUP_SOCKOPTall
BPF_PROG_TYPE_TRACINGall
BPF_PROG_TYPE_STRUCT_OPSall
BPF_PROG_TYPE_EXTall
BPF_PROG_TYPE_LSMall
BPF_PROG_TYPE_SK_LOOKUPall

Chmod mode constants

Chmod mode constants are the supported modes for the chmod syscall.

NameArchitectures
S_IFBLKall
S_IFCHRall
S_IFDIRall
S_IFIFOall
S_IFLNKall
S_IFMTall
S_IFREGall
S_IFSOCKall
S_IRGRPall
S_IROTHall
S_IRUSRall
S_IRWXGall
S_IRWXOall
S_IRWXUall
S_ISGIDall
S_ISUIDall
S_ISVTXall
S_IWGRPall
S_IWOTHall
S_IWUSRall
S_IXGRPall
S_IXOTHall
S_IXUSRall

DNS qclasses

DNS qclasses are the supported DNS query classes.

NameArchitectures
CLASS_INETall
CLASS_CSNETall
CLASS_CHAOSall
CLASS_HESIODall
CLASS_NONEall
CLASS_ANYall

DNS qtypes

DNS qtypes are the supported DNS query types.

NameArchitectures
Noneall
Aall
NSall
MDall
MFall
CNAMEall
SOAall
MBall
MGall
MRall
NULLall
PTRall
HINFOall
MINFOall
MXall
TXTall
RPall
AFSDBall
X25all
ISDNall
RTall
NSAPPTRall
SIGall
KEYall
PXall
GPOSall
AAAAall
LOCall
NXTall
EIDall
NIMLOCall
SRVall
ATMAall
NAPTRall
KXall
CERTall
DNAMEall
OPTall
APLall
DSall
SSHFPall
RRSIGall
NSECall
DNSKEYall
DHCIDall
NSEC3all
NSEC3PARAMall
TLSAall
SMIMEAall
HIPall
NINFOall
RKEYall
TALINKall
CDSall
CDNSKEYall
OPENPGPKEYall
CSYNCall
ZONEMDall
SVCBall
HTTPSall
SPFall
UINFOall
UIDall
GIDall
UNSPECall
NIDall
L32all
L64all
LPall
EUI48all
EUI64all
URIall
CAAall
AVCall
TKEYall
TSIGall
IXFRall
AXFRall
MAILBall
MAILAall
ANYall
TAall
DLVall
Reservedall

Error Constants

Error Constants are the supported error constants.

NameArchitectures
E2BIGall
EACCESall
EADDRINUSEall
EADDRNOTAVAILall
EADVall
EAFNOSUPPORTall
EAGAINall
EALREADYall
EBADEall
EBADFall
EBADFDall
EBADMSGall
EBADRall
EBADRQCall
EBADSLTall
EBFONTall
EBUSYall
ECANCELEDall
ECHILDall
ECHRNGall
ECOMMall
ECONNABORTEDall
ECONNREFUSEDall
ECONNRESETall
EDEADLKall
EDEADLOCKall
EDESTADDRREQall
EDOMall
EDOTDOTall
EDQUOTall
EEXISTall
EFAULTall
EFBIGall
EHOSTDOWNall
EHOSTUNREACHall
EIDRMall
EILSEQall
EINPROGRESSall
EINTRall
EINVALall
EIOall
EISCONNall
EISDIRall
EISNAMall
EKEYEXPIREDall
EKEYREJECTEDall
EKEYREVOKEDall
EL2HLTall
EL2NSYNCall
EL3HLTall
EL3RSTall
ELIBACCall
ELIBBADall
ELIBEXECall
ELIBMAXall
ELIBSCNall
ELNRNGall
ELOOPall
EMEDIUMTYPEall
EMFILEall
EMLINKall
EMSGSIZEall
EMULTIHOPall
ENAMETOOLONGall
ENAVAILall
ENETDOWNall
ENETRESETall
ENETUNREACHall
ENFILEall
ENOANOall
ENOBUFSall
ENOCSIall
ENODATAall
ENODEVall
ENOENTall
ENOEXECall
ENOKEYall
ENOLCKall
ENOLINKall
ENOMEDIUMall
ENOMEMall
ENOMSGall
ENONETall
ENOPKGall
ENOPROTOOPTall
ENOSPCall
ENOSRall
ENOSTRall
ENOSYSall
ENOTBLKall
ENOTCONNall
ENOTDIRall
ENOTEMPTYall
ENOTNAMall
ENOTRECOVERABLEall
ENOTSOCKall
ENOTSUPall
ENOTTYall
ENOTUNIQall
ENXIOall
EOPNOTSUPPall
EOVERFLOWall
EOWNERDEADall
EPERMall
EPFNOSUPPORTall
EPIPEall
EPROTOall
EPROTONOSUPPORTall
EPROTOTYPEall
ERANGEall
EREMCHGall
EREMOTEall
EREMOTEIOall
ERESTARTall
ERFKILLall
EROFSall
ESHUTDOWNall
ESOCKTNOSUPPORTall
ESPIPEall
ESRCHall
ESRMNTall
ESTALEall
ESTRPIPEall
ETIMEall
ETIMEDOUTall
ETOOMANYREFSall
ETXTBSYall
EUCLEANall
EUNATCHall
EUSERSall
EWOULDBLOCKall
EXDEVall
EXFULLall

Kernel Capability constants

Kernel Capability constants are the supported Linux Kernel Capability.

NameArchitectures
CAP_AUDIT_CONTROLall
CAP_AUDIT_READall
CAP_AUDIT_WRITEall
CAP_BLOCK_SUSPENDall
CAP_BPFall
CAP_CHECKPOINT_RESTOREall
CAP_CHOWNall
CAP_DAC_OVERRIDEall
CAP_DAC_READ_SEARCHall
CAP_FOWNERall
CAP_FSETIDall
CAP_IPC_LOCKall
CAP_IPC_OWNERall
CAP_KILLall
CAP_LAST_CAPall
CAP_LEASEall
CAP_LINUX_IMMUTABLEall
CAP_MAC_ADMINall
CAP_MAC_OVERRIDEall
CAP_MKNODall
CAP_NET_ADMINall
CAP_NET_BIND_SERVICEall
CAP_NET_BROADCASTall
CAP_NET_RAWall
CAP_PERFMONall
CAP_SETFCAPall
CAP_SETGIDall
CAP_SETPCAPall
CAP_SETUIDall
CAP_SYSLOGall
CAP_SYS_ADMINall
CAP_SYS_BOOTall
CAP_SYS_CHROOTall
CAP_SYS_MODULEall
CAP_SYS_NICEall
CAP_SYS_PACCTall
CAP_SYS_PTRACEall
CAP_SYS_RAWIOall
CAP_SYS_RESOURCEall
CAP_SYS_TIMEall
CAP_SYS_TTY_CONFIGall
CAP_WAKE_ALARMall

L3 protocols

L3 protocols are the supported Layer 3 protocols.

NameArchitectures
ETH_P_LOOPall
ETH_P_PUPall
ETH_P_PUPATall
ETH_P_TSNall
ETH_P_IPall
ETH_P_X25all
ETH_P_ARPall
ETH_P_BPQall
ETH_P_IEEEPUPall
ETH_P_IEEEPUPATall
ETH_P_BATMANall
ETH_P_DECall
ETH_P_DNADLall
ETH_P_DNARCall
ETH_P_DNARTall
ETH_P_LATall
ETH_P_DIAGall
ETH_P_CUSTall
ETH_P_SCAall
ETH_P_TEBall
ETH_P_RARPall
ETH_P_ATALKall
ETH_P_AARPall
ETH_P_8021_Qall
ETH_P_ERSPANall
ETH_P_IPXall
ETH_P_IPV6all
ETH_P_PAUSEall
ETH_P_SLOWall
ETH_P_WCCPall
ETH_P_MPLSUCall
ETH_P_MPLSMCall
ETH_P_ATMMPOAall
ETH_P_PPPDISCall
ETH_P_PPPSESall
ETH_P__LINK_CTLall
ETH_P_ATMFATEall
ETH_P_PAEall
ETH_P_AOEall
ETH_P_8021_ADall
ETH_P_802_EX1all
ETH_P_TIPCall
ETH_P_MACSECall
ETH_P_8021_AHall
ETH_P_MVRPall
ETH_P_1588all
ETH_P_NCSIall
ETH_P_PRPall
ETH_P_FCOEall
ETH_P_IBOEall
ETH_P_TDLSall
ETH_P_FIPall
ETH_P_80221all
ETH_P_HSRall
ETH_P_NSHall
ETH_P_LOOPBACKall
ETH_P_QINQ1all
ETH_P_QINQ2all
ETH_P_QINQ3all
ETH_P_EDSAall
ETH_P_IFEall
ETH_P_AFIUCVall
ETH_P_8023_MINall
ETH_P_IPV6_HOP_BY_HOPall
ETH_P_8023all
ETH_P_AX25all
ETH_P_ALLall
ETH_P_8022all
ETH_P_SNAPall
ETH_P_DDCMPall
ETH_P_WANPPPall
ETH_P_PPPMPall
ETH_P_LOCALTALKall
ETH_P_CANall
ETH_P_CANFDall
ETH_P_PPPTALKall
ETH_P_TR8022all
ETH_P_MOBITEXall
ETH_P_CONTROLall
ETH_P_IRDAall
ETH_P_ECONETall
ETH_P_HDLCall
ETH_P_ARCNETall
ETH_P_DSAall
ETH_P_TRAILERall
ETH_P_PHONETall
ETH_P_IEEE802154all
ETH_P_CAIFall
ETH_P_XDSAall
ETH_P_MAPall

L4 protocols

L4 protocols are the supported Layer 4 protocols.

NameArchitectures
IP_PROTO_IPall
IP_PROTO_ICMPall
IP_PROTO_IGMPall
IP_PROTO_IPIPall
IP_PROTO_TCPall
IP_PROTO_EGPall
IP_PROTO_IGPall
IP_PROTO_PUPall
IP_PROTO_UDPall
IP_PROTO_IDPall
IP_PROTO_TPall
IP_PROTO_DCCPall
IP_PROTO_IPV6all
IP_PROTO_RSVPall
IP_PROTO_GREall
IP_PROTO_ESPall
IP_PROTO_AHall
IP_PROTO_ICMPV6all
IP_PROTO_MTPall
IP_PROTO_BEETPHall
IP_PROTO_ENCAPall
IP_PROTO_PIMall
IP_PROTO_COMPall
IP_PROTO_SCTPall
IP_PROTO_UDPLITEall
IP_PROTO_MPLSall
IP_PROTO_RAWall

MMap flags

MMap flags are the supported flags for the mmap syscall.

NameArchitectures
MAP_SHAREDall
MAP_PRIVATEall
MAP_SHARED_VALIDATEall
MAP_ANONall
MAP_ANONYMOUSall
MAP_DENYWRITEall
MAP_EXECUTABLEall
MAP_FIXEDall
MAP_FIXED_NOREPLACEall
MAP_GROWSDOWNall
MAP_HUGETLBall
MAP_LOCKEDall
MAP_NONBLOCKall
MAP_NORESERVEall
MAP_POPULATEall
MAP_STACKall
MAP_SYNCall
MAP_UNINITIALIZEDall
MAP_HUGE_16KBall
MAP_HUGE_64KBall
MAP_HUGE_512KBall
MAP_HUGE_1MBall
MAP_HUGE_2MBall
MAP_HUGE_8MBall
MAP_HUGE_16MBall
MAP_HUGE_32MBall
MAP_HUGE_256MBall
MAP_HUGE_512MBall
MAP_HUGE_1GBall
MAP_HUGE_2GBall
MAP_HUGE_16GBall
MAP_32BITamd64

Network Address Family constants

Network Address Family constants are the supported network address families.

NameArchitectures
AF_UNSPECall
AF_LOCALall
AF_UNIXall
AF_FILEall
AF_INETall
AF_AX25all
AF_IPXall
AF_APPLETALKall
AF_NETROMall
AF_BRIDGEall
AF_ATMPVCall
AF_X25all
AF_INET6all
AF_ROSEall
AF_DECnetall
AF_NETBEUIall
AF_SECURITYall
AF_KEYall
AF_NETLINKall
AF_ROUTEall
AF_PACKETall
AF_ASHall
AF_ECONETall
AF_ATMSVCall
AF_RDSall
AF_SNAall
AF_IRDAall
AF_PPPOXall
AF_WANPIPEall
AF_LLCall
AF_IBall
AF_MPLSall
AF_CANall
AF_TIPCall
AF_BLUETOOTHall
AF_IUCVall
AF_RXRPCall
AF_ISDNall
AF_PHONETall
AF_IEEE802154all
AF_CAIFall
AF_ALGall
AF_NFCall
AF_VSOCKall
AF_KCMall
AF_QIPCRTRall
AF_SMCall
AF_XDPall
AF_MAXall

Open flags

Open flags are the supported flags for the open syscall.

NameArchitectures
O_RDONLYall
O_WRONLYall
O_RDWRall
O_APPENDall
O_CREATall
O_EXCLall
O_SYNCall
O_TRUNCall
O_ACCMODEall
O_ASYNCall
O_CLOEXECall
O_DIRECTall
O_DIRECTORYall
O_DSYNCall
O_FSYNCall
O_NDELAYall
O_NOATIMEall
O_NOCTTYall
O_NOFOLLOWall
O_NONBLOCKall
O_RSYNCall

Pipe buffer flags

Pipe buffer flags are the supported flags for a pipe buffer.

NameArchitectures
PIPE_BUF_FLAG_LRUall
PIPE_BUF_FLAG_ATOMICall
PIPE_BUF_FLAG_GIFTall
PIPE_BUF_FLAG_PACKETall
PIPE_BUF_FLAG_CAN_MERGEall
PIPE_BUF_FLAG_WHOLEall
PIPE_BUF_FLAG_LOSSall

Protection constants

Protection constants are the supported protections for the mmap syscall.

NameArchitectures
PROT_NONEall
PROT_READall
PROT_WRITEall
PROT_EXECall
PROT_GROWSDOWNall
PROT_GROWSUPall

Ptrace constants

Ptrace constants are the supported ptrace commands for the ptrace syscall.

NameArchitectures
PTRACE_TRACEMEall
PTRACE_PEEKTEXTall
PTRACE_PEEKDATAall
PTRACE_PEEKUSRall
PTRACE_POKETEXTall
PTRACE_POKEDATAall
PTRACE_POKEUSRall
PTRACE_CONTall
PTRACE_KILLall
PTRACE_SINGLESTEPall
PTRACE_ATTACHall
PTRACE_DETACHall
PTRACE_SYSCALLall
PTRACE_SETOPTIONSall
PTRACE_GETEVENTMSGall
PTRACE_GETSIGINFOall
PTRACE_SETSIGINFOall
PTRACE_GETREGSETall
PTRACE_SETREGSETall
PTRACE_SEIZEall
PTRACE_INTERRUPTall
PTRACE_LISTENall
PTRACE_PEEKSIGINFOall
PTRACE_GETSIGMASKall
PTRACE_SETSIGMASKall
PTRACE_SECCOMP_GET_FILTERall
PTRACE_SECCOMP_GET_METADATAall
PTRACE_GET_SYSCALL_INFOall
PTRACE_GETFPREGSamd64, arm
PTRACE_SETFPREGSamd64, arm
PTRACE_GETFPXREGSamd64
PTRACE_SETFPXREGSamd64
PTRACE_OLDSETOPTIONSamd64, arm
PTRACE_GET_THREAD_AREAamd64, arm
PTRACE_SET_THREAD_AREAamd64
PTRACE_ARCH_PRCTLamd64
PTRACE_SYSEMUamd64, arm64
PTRACE_SYSEMU_SINGLESTEPamd64, arm64
PTRACE_SINGLEBLOCKamd64
PTRACE_GETCRUNCHREGSarm
PTRACE_GETFDPICarm
PTRACE_GETFDPIC_EXECarm
PTRACE_GETFDPIC_INTERParm
PTRACE_GETHBPREGSarm
PTRACE_GETVFPREGSarm
PTRACE_GETWMMXREGSarm
PTRACE_SETCRUNCHREGSarm
PTRACE_SETHBPREGSarm
PTRACE_SETVFPREGSarm
PTRACE_SETWMMXREGSarm
PTRACE_SET_SYSCALLarm
PTRACE_PEEKMTETAGSarm64
PTRACE_POKEMTETAGSarm64

SecL constants

SecL constants are the supported generic SecL constants.

NameArchitectures
trueall
falseall

Signal constants

Signal constants are the supported signals for the kill syscall.

NameArchitectures
SIGHUPall
SIGINTall
SIGQUITall
SIGILLall
SIGTRAPall
SIGABRTall
SIGIOTall
SIGBUSall
SIGFPEall
SIGKILLall
SIGUSR1all
SIGSEGVall
SIGUSR2all
SIGPIPEall
SIGALRMall
SIGTERMall
SIGSTKFLTall
SIGCHLDall
SIGCONTall
SIGSTOPall
SIGTSTPall
SIGTTINall
SIGTTOUall
SIGURGall
SIGXCPUall
SIGXFSZall
SIGVTALRMall
SIGPROFall
SIGWINCHall
SIGIOall
SIGPOLLall
SIGPWRall
SIGSYSall

Unlink flags are the supported flags for the unlink syscall.

NameArchitectures
AT_REMOVEDIRall

Virtual Memory flags

Virtual Memory flags define the protection of a virtual memory segment.

NameArchitectures
VM_NONEall
VM_READall
VM_WRITEall
VM_EXECall
VM_SHAREDall
VM_MAYREADall
VM_MAYWRITEall
VM_MAYEXECall
VM_MAYSHAREall
VM_GROWSDOWNall
VM_UFFD_MISSINGall
VM_PFNMAPall
VM_UFFD_WPall
VM_LOCKEDall
VM_IOall
VM_SEQ_READall
VM_RAND_READall
VM_DONTCOPYall
VM_DONTEXPANDall
VM_LOCKONFAULTall
VM_ACCOUNTall
VM_NORESERVEall
VM_HUGETLBall
VM_SYNCall
VM_ARCH_1all
VM_WIPEONFORKall
VM_DONTDUMPall
VM_SOFTDIRTYall
VM_MIXEDMAPall
VM_HUGEPAGEall
VM_NOHUGEPAGEall
VM_MERGEABLEall

お役に立つドキュメント、リンクや記事:

Get started with Datadog Cloud Workload SecurityDOCUMENTATION more more