- 重要な情報
- アプリ内
- インフラストラクチャー
- アプリケーションパフォーマンス
- 継続的インテグレーション
- ログ管理
- セキュリティ
- UX モニタリング
- 管理
Cloud Workload Security (CWS) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CWS rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:
<event-type>.<event-attribute> <operator> <value> <event-attribute> ...
Using this format, an example rule looks like this:
open.file.path == "/etc/shadow" && file.path not in ["/usr/sbin/vipw"]
Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:
SECL Event | Type | Definition | Agent Version |
---|---|---|---|
bind | Network | [Experimental] A bind was executed | 7.37 |
bpf | Kernel | A BPF command was executed | 7.33 |
capset | Process | A process changed its capacity set | 7.27 |
chmod | File | A file’s permissions were changed | 7.27 |
chown | File | A file’s owner was changed | 7.27 |
dns | Network | A DNS request was sent | 7.36 |
exec | Process | A process was executed or forked | 7.27 |
exit | Process | A process was terminated | 7.38 |
link | File | Create a new name/alias for a file | 7.27 |
load_module | Kernel | A new kernel module was loaded | 7.35 |
mkdir | File | A directory was created | 7.27 |
mmap | Kernel | A mmap command was executed | 7.35 |
mount | File | [Experimental] A filesystem was mounted | 7.42 |
mprotect | Kernel | A mprotect command was executed | 7.35 |
open | File | A file was opened | 7.27 |
ptrace | Kernel | A ptrace command was executed | 7.35 |
removexattr | File | Remove extended attributes | 7.27 |
rename | File | A file/directory was renamed | 7.27 |
rmdir | File | A directory was removed | 7.27 |
selinux | Kernel | An SELinux operation was run | 7.30 |
setgid | Process | A process changed its effective gid | 7.27 |
setuid | Process | A process changed its effective uid | 7.27 |
setxattr | File | Set exteneded attributes | 7.27 |
signal | Process | A signal was sent | 7.35 |
splice | File | A splice command was executed | 7.36 |
unlink | File | A file was deleted | 7.27 |
unload_module | Kernel | A kernel module was deleted | 7.35 |
utimes | File | Change file access/modification times | 7.27 |
SECL operators are used to combine event attributes together into a full expression. The following operators are available:
SECL Operator | Types | Definition | Agent Version |
---|---|---|---|
== | Process | Equal | 7.27 |
!= | File | Not equal | 7.27 |
> | File | Greater | 7.27 |
>= | File | Greater or equal | 7.27 |
< | File | Lesser | 7.27 |
<= | File | Lesser or equal | 7.27 |
! | File | Not | 7.27 |
^ | File | Binary not | 7.27 |
in [elem1, ...] | File | Element is contained in list | 7.27 |
not in [elem1, ...] | File | Element is not contained in list | 7.27 |
=~ | File | String matching | 7.27 |
!~ | File | String not matching | 7.27 |
& | File | Binary and | 7.27 |
| | File | Binary or | 7.27 |
&& | File | Logical and | 7.27 |
|| | File | Logical or | 7.27 |
in CIDR | Network | Element is in the IP range | 7.37 |
not in CIDR | Network | Element is not in the IP range | 7.37 |
allin CIDR | Network | All the elements are in the IP range | 7.37 |
in [CIDR1, ...] | Network | Element is in the IP ranges | 7.37 |
not in [CIDR1, ...] | Network | Element is not in the IP ranges | 7.37 |
allin [CIDR1, ...] | Network | All the elements are in the IP ranges | 7.37 |
Patterns or regular expressions can be used in SECL expressions. They can be used with the in
, not in
, =~
, and !~
operators.
Format | Example | Supported Fields | Agent Version |
---|---|---|---|
~"pattern" | ~"httpd.*" | All | 7.27 |
r"regexp" | r"rc[0-9]+" | All except .path | 7.27 |
Patterns on .path
fields will be used as Glob. *
will match files and folders at the same level. **
, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.
You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created. Such a rule could be written as follows:
open.file.path == "/etc/secret" && process.file.name == "java" && process.created_at > 5s
Durations are numbers with a unit suffix. The supported suffixes are “s”, “m”, “h”.
SECL variables are predefined variables that can be used as values or as part of values.
For example, rule using a process.pid
variable looks like this:
open.file.path == "/proc/${process.pid}/maps"
List of the available variables:
SECL Variable | Definition | Agent Version |
---|---|---|
process.pid | Process PID | 7.33 |
CIDR and IP matching is possible in SECL. One can use operators such as in
, not in
, or allin
combined with CIDR or IP notations.
Such rules can be written as follows:
dns.question.name == "example.com" && network.destination.ip in ["192.168.1.25", "10.0.0.0/24"]
Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.
The args_flags and args_options are helpers to ease the writing of CWS rules based on command line arguments.
args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.
Examples:
version
is part of args_flags for the command cat --version
l
and n
both are in args_flags for the command netstat -ln
args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.
Examples:
T=8
and width=8
both are in args_options for the command ls -T 8 --width=8
exec.args_options ~= [ “s=.*\’” ]
can be used to detect sudoedit
was launched with -s
argument and a command that ends with a \
The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod
commands.
Property | Type | Definition | Constants |
---|---|---|---|
async | bool | True if the syscall was asynchronous | |
container.id | string | ID of the container | |
container.tags | string | Tags of the container | |
network.destination.ip | IP/CIDR | IP address | |
network.destination.port | int | Port number | |
network.device.ifindex | int | interface ifindex | |
network.device.ifname | string | interface ifname | |
network.l3_protocol | int | l3 protocol of the network packet | L3 protocols |
network.l4_protocol | int | l4 protocol of the network packet | L4 protocols |
network.size | int | size in bytes of the network packet | |
network.source.ip | IP/CIDR | IP address | |
network.source.port | int | Port number | |
process.ancestors.args | string | Arguments of the process (as a string) | |
process.ancestors.args_flags | string | Arguments of the process (as an array) | |
process.ancestors.args_options | string | Arguments of the process (as an array) | |
process.ancestors.args_truncated | bool | Indicator of arguments truncation | |
process.ancestors.argv | string | Arguments of the process (as an array) | |
process.ancestors.argv0 | string | First argument of the process | |
process.ancestors.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
process.ancestors.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
process.ancestors.comm | string | Comm attribute of the process | |
process.ancestors.container.id | string | Container ID | |
process.ancestors.cookie | int | Cookie of the process | |
process.ancestors.created_at | int | Timestamp of the creation of the process | |
process.ancestors.egid | int | Effective GID of the process | |
process.ancestors.egroup | string | Effective group of the process | |
process.ancestors.envp | string | Environment variables of the process | |
process.ancestors.envs | string | Environment variable names of the process | |
process.ancestors.envs_truncated | bool | Indicator of environment variables truncation | |
process.ancestors.euid | int | Effective UID of the process | |
process.ancestors.euser | string | Effective user of the process | |
process.ancestors.file.change_time | int | Change time of the file | |
process.ancestors.file.filesystem | string | File’s filesystem | |
process.ancestors.file.gid | int | GID of the file’s owner | |
process.ancestors.file.group | string | Group of the file’s owner | |
process.ancestors.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
process.ancestors.file.inode | int | Inode of the file | |
process.ancestors.file.mode | int | Mode/rights of the file | Chmod mode constants |
process.ancestors.file.modification_time | int | Modification time of the file | |
process.ancestors.file.mount_id | int | Mount ID of the file | |
process.ancestors.file.name | string | File’s basename | |
process.ancestors.file.name.length | int | Length of ‘process.ancestors.file.name’ string | |
process.ancestors.file.path | string | File’s path | |
process.ancestors.file.path.length | int | Length of ‘process.ancestors.file.path’ string | |
process.ancestors.file.rights | int | Mode/rights of the file | Chmod mode constants |
process.ancestors.file.uid | int | UID of the file’s owner | |
process.ancestors.file.user | string | User of the file’s owner | |
process.ancestors.fsgid | int | FileSystem-gid of the process | |
process.ancestors.fsgroup | string | FileSystem-group of the process | |
process.ancestors.fsuid | int | FileSystem-uid of the process | |
process.ancestors.fsuser | string | FileSystem-user of the process | |
process.ancestors.gid | int | GID of the process | |
process.ancestors.group | string | Group of the process | |
process.ancestors.interpreter.file.change_time | int | Change time of the file | |
process.ancestors.interpreter.file.filesystem | string | File’s filesystem | |
process.ancestors.interpreter.file.gid | int | GID of the file’s owner | |
process.ancestors.interpreter.file.group | string | Group of the file’s owner | |
process.ancestors.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
process.ancestors.interpreter.file.inode | int | Inode of the file | |
process.ancestors.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
process.ancestors.interpreter.file.modification_time | int | Modification time of the file | |
process.ancestors.interpreter.file.mount_id | int | Mount ID of the file | |
process.ancestors.interpreter.file.name | string | File’s basename | |
process.ancestors.interpreter.file.name.length | int | Length of ‘process.ancestors.interpreter.file.name’ string | |
process.ancestors.interpreter.file.path | string | File’s path | |
process.ancestors.interpreter.file.path.length | int | Length of ‘process.ancestors.interpreter.file.path’ string | |
process.ancestors.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
process.ancestors.interpreter.file.uid | int | UID of the file’s owner | |
process.ancestors.interpreter.file.user | string | User of the file’s owner | |
process.ancestors.is_kworker | bool | Indicates whether the process is a kworker | |
process.ancestors.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
process.ancestors.pid | int | Process ID of the process (also called thread group ID) | |
process.ancestors.ppid | int | Parent process ID | |
process.ancestors.tid | int | Thread ID of the thread | |
process.ancestors.tty_name | string | Name of the TTY associated with the process | |
process.ancestors.uid | int | UID of the process | |
process.ancestors.user | string | User of the process | |
process.args | string | Arguments of the process (as a string) | |
process.args_flags | string | Arguments of the process (as an array) | |
process.args_options | string | Arguments of the process (as an array) | |
process.args_truncated | bool | Indicator of arguments truncation | |
process.argv | string | Arguments of the process (as an array) | |
process.argv0 | string | First argument of the process | |
process.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
process.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
process.comm | string | Comm attribute of the process | |
process.container.id | string | Container ID | |
process.cookie | int | Cookie of the process | |
process.created_at | int | Timestamp of the creation of the process | |
process.egid | int | Effective GID of the process | |
process.egroup | string | Effective group of the process | |
process.envp | string | Environment variables of the process | |
process.envs | string | Environment variable names of the process | |
process.envs_truncated | bool | Indicator of environment variables truncation | |
process.euid | int | Effective UID of the process | |
process.euser | string | Effective user of the process | |
process.file.change_time | int | Change time of the file | |
process.file.filesystem | string | File’s filesystem | |
process.file.gid | int | GID of the file’s owner | |
process.file.group | string | Group of the file’s owner | |
process.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
process.file.inode | int | Inode of the file | |
process.file.mode | int | Mode/rights of the file | Chmod mode constants |
process.file.modification_time | int | Modification time of the file | |
process.file.mount_id | int | Mount ID of the file | |
process.file.name | string | File’s basename | |
process.file.name.length | int | Length of ‘process.file.name’ string | |
process.file.path | string | File’s path | |
process.file.path.length | int | Length of ‘process.file.path’ string | |
process.file.rights | int | Mode/rights of the file | Chmod mode constants |
process.file.uid | int | UID of the file’s owner | |
process.file.user | string | User of the file’s owner | |
process.fsgid | int | FileSystem-gid of the process | |
process.fsgroup | string | FileSystem-group of the process | |
process.fsuid | int | FileSystem-uid of the process | |
process.fsuser | string | FileSystem-user of the process | |
process.gid | int | GID of the process | |
process.group | string | Group of the process | |
process.interpreter.file.change_time | int | Change time of the file | |
process.interpreter.file.filesystem | string | File’s filesystem | |
process.interpreter.file.gid | int | GID of the file’s owner | |
process.interpreter.file.group | string | Group of the file’s owner | |
process.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
process.interpreter.file.inode | int | Inode of the file | |
process.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
process.interpreter.file.modification_time | int | Modification time of the file | |
process.interpreter.file.mount_id | int | Mount ID of the file | |
process.interpreter.file.name | string | File’s basename | |
process.interpreter.file.name.length | int | Length of ‘process.interpreter.file.name’ string | |
process.interpreter.file.path | string | File’s path | |
process.interpreter.file.path.length | int | Length of ‘process.interpreter.file.path’ string | |
process.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
process.interpreter.file.uid | int | UID of the file’s owner | |
process.interpreter.file.user | string | User of the file’s owner | |
process.is_kworker | bool | Indicates whether the process is a kworker | |
process.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
process.parent.args | string | Arguments of the process (as a string) | |
process.parent.args_flags | string | Arguments of the process (as an array) | |
process.parent.args_options | string | Arguments of the process (as an array) | |
process.parent.args_truncated | bool | Indicator of arguments truncation | |
process.parent.argv | string | Arguments of the process (as an array) | |
process.parent.argv0 | string | First argument of the process | |
process.parent.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
process.parent.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
process.parent.comm | string | Comm attribute of the process | |
process.parent.container.id | string | Container ID | |
process.parent.cookie | int | Cookie of the process | |
process.parent.created_at | int | Timestamp of the creation of the process | |
process.parent.egid | int | Effective GID of the process | |
process.parent.egroup | string | Effective group of the process | |
process.parent.envp | string | Environment variables of the process | |
process.parent.envs | string | Environment variable names of the process | |
process.parent.envs_truncated | bool | Indicator of environment variables truncation | |
process.parent.euid | int | Effective UID of the process | |
process.parent.euser | string | Effective user of the process | |
process.parent.file.change_time | int | Change time of the file | |
process.parent.file.filesystem | string | File’s filesystem | |
process.parent.file.gid | int | GID of the file’s owner | |
process.parent.file.group | string | Group of the file’s owner | |
process.parent.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
process.parent.file.inode | int | Inode of the file | |
process.parent.file.mode | int | Mode/rights of the file | Chmod mode constants |
process.parent.file.modification_time | int | Modification time of the file | |
process.parent.file.mount_id | int | Mount ID of the file | |
process.parent.file.name | string | File’s basename | |
process.parent.file.name.length | int | Length of ‘process.parent.file.name’ string | |
process.parent.file.path | string | File’s path | |
process.parent.file.path.length | int | Length of ‘process.parent.file.path’ string | |
process.parent.file.rights | int | Mode/rights of the file | Chmod mode constants |
process.parent.file.uid | int | UID of the file’s owner | |
process.parent.file.user | string | User of the file’s owner | |
process.parent.fsgid | int | FileSystem-gid of the process | |
process.parent.fsgroup | string | FileSystem-group of the process | |
process.parent.fsuid | int | FileSystem-uid of the process | |
process.parent.fsuser | string | FileSystem-user of the process | |
process.parent.gid | int | GID of the process | |
process.parent.group | string | Group of the process | |
process.parent.interpreter.file.change_time | int | Change time of the file | |
process.parent.interpreter.file.filesystem | string | File’s filesystem | |
process.parent.interpreter.file.gid | int | GID of the file’s owner | |
process.parent.interpreter.file.group | string | Group of the file’s owner | |
process.parent.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
process.parent.interpreter.file.inode | int | Inode of the file | |
process.parent.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
process.parent.interpreter.file.modification_time | int | Modification time of the file | |
process.parent.interpreter.file.mount_id | int | Mount ID of the file | |
process.parent.interpreter.file.name | string | File’s basename | |
process.parent.interpreter.file.name.length | int | Length of ‘process.parent.interpreter.file.name’ string | |
process.parent.interpreter.file.path | string | File’s path | |
process.parent.interpreter.file.path.length | int | Length of ‘process.parent.interpreter.file.path’ string | |
process.parent.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
process.parent.interpreter.file.uid | int | UID of the file’s owner | |
process.parent.interpreter.file.user | string | User of the file’s owner | |
process.parent.is_kworker | bool | Indicates whether the process is a kworker | |
process.parent.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
process.parent.pid | int | Process ID of the process (also called thread group ID) | |
process.parent.ppid | int | Parent process ID | |
process.parent.tid | int | Thread ID of the thread | |
process.parent.tty_name | string | Name of the TTY associated with the process | |
process.parent.uid | int | UID of the process | |
process.parent.user | string | User of the process | |
process.pid | int | Process ID of the process (also called thread group ID) | |
process.ppid | int | Parent process ID | |
process.tid | int | Thread ID of the thread | |
process.tty_name | string | Name of the TTY associated with the process | |
process.uid | int | UID of the process | |
process.user | string | User of the process |
bind
This event type is experimental and may change in the future.
A bind was executed
Property | Type | Definition | Constants |
---|---|---|---|
bind.addr.family | int | Address family | |
bind.addr.ip | IP/CIDR | IP address | |
bind.addr.port | int | Port number | |
bind.retval | int | Return value of the syscall | Error Constants |
bpf
A BPF command was executed
Property | Type | Definition | Constants |
---|---|---|---|
bpf.cmd | int | BPF command name | BPF commands |
bpf.map.name | string | Name of the eBPF map (added in 7.35) | |
bpf.map.type | int | Type of the eBPF map | BPF map types |
bpf.prog.attach_type | int | Attach type of the eBPF program | BPF attach types |
bpf.prog.helpers | int | eBPF helpers used by the eBPF program (added in 7.35) | BPF helper functions |
bpf.prog.name | string | Name of the eBPF program (added in 7.35) | |
bpf.prog.tag | string | Hash (sha1) of the eBPF program (added in 7.35) | |
bpf.prog.type | int | Type of the eBPF program | BPF program types |
bpf.retval | int | Return value of the syscall | Error Constants |
capset
A process changed its capacity set
Property | Type | Definition | Constants |
---|---|---|---|
capset.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
capset.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
chmod
A file’s permissions were changed
Property | Type | Definition | Constants |
---|---|---|---|
chmod.file.change_time | int | Change time of the file | |
chmod.file.destination.mode | int | New mode/rights of the chmod-ed file | Chmod mode constants |
chmod.file.destination.rights | int | New mode/rights of the chmod-ed file | Chmod mode constants |
chmod.file.filesystem | string | File’s filesystem | |
chmod.file.gid | int | GID of the file’s owner | |
chmod.file.group | string | Group of the file’s owner | |
chmod.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
chmod.file.inode | int | Inode of the file | |
chmod.file.mode | int | Mode/rights of the file | Chmod mode constants |
chmod.file.modification_time | int | Modification time of the file | |
chmod.file.mount_id | int | Mount ID of the file | |
chmod.file.name | string | File’s basename | |
chmod.file.name.length | int | Length of ‘chmod.file.name’ string | |
chmod.file.path | string | File’s path | |
chmod.file.path.length | int | Length of ‘chmod.file.path’ string | |
chmod.file.rights | int | Mode/rights of the file | Chmod mode constants |
chmod.file.uid | int | UID of the file’s owner | |
chmod.file.user | string | User of the file’s owner | |
chmod.retval | int | Return value of the syscall | Error Constants |
chown
A file’s owner was changed
Property | Type | Definition | Constants |
---|---|---|---|
chown.file.change_time | int | Change time of the file | |
chown.file.destination.gid | int | New GID of the chown-ed file’s owner | |
chown.file.destination.group | string | New group of the chown-ed file’s owner | |
chown.file.destination.uid | int | New UID of the chown-ed file’s owner | |
chown.file.destination.user | string | New user of the chown-ed file’s owner | |
chown.file.filesystem | string | File’s filesystem | |
chown.file.gid | int | GID of the file’s owner | |
chown.file.group | string | Group of the file’s owner | |
chown.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
chown.file.inode | int | Inode of the file | |
chown.file.mode | int | Mode/rights of the file | Chmod mode constants |
chown.file.modification_time | int | Modification time of the file | |
chown.file.mount_id | int | Mount ID of the file | |
chown.file.name | string | File’s basename | |
chown.file.name.length | int | Length of ‘chown.file.name’ string | |
chown.file.path | string | File’s path | |
chown.file.path.length | int | Length of ‘chown.file.path’ string | |
chown.file.rights | int | Mode/rights of the file | Chmod mode constants |
chown.file.uid | int | UID of the file’s owner | |
chown.file.user | string | User of the file’s owner | |
chown.retval | int | Return value of the syscall | Error Constants |
dns
A DNS request was sent
Property | Type | Definition | Constants |
---|---|---|---|
dns.id | int | [Experimental] the DNS request ID | |
dns.question.class | int | the class looked up by the DNS question | DNS qclasses |
dns.question.count | int | the total count of questions in the DNS request | |
dns.question.length | int | the total DNS request size in bytes | |
dns.question.name | string | the queried domain name | |
dns.question.name.length | int | the queried domain name | |
dns.question.type | int | a two octet code which specifies the DNS question type | DNS qtypes |
exec
A process was executed or forked
Property | Type | Definition | Constants |
---|---|---|---|
exec.args | string | Arguments of the process (as a string) | |
exec.args_flags | string | Arguments of the process (as an array) | |
exec.args_options | string | Arguments of the process (as an array) | |
exec.args_truncated | bool | Indicator of arguments truncation | |
exec.argv | string | Arguments of the process (as an array) | |
exec.argv0 | string | First argument of the process | |
exec.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
exec.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
exec.comm | string | Comm attribute of the process | |
exec.container.id | string | Container ID | |
exec.cookie | int | Cookie of the process | |
exec.created_at | int | Timestamp of the creation of the process | |
exec.egid | int | Effective GID of the process | |
exec.egroup | string | Effective group of the process | |
exec.envp | string | Environment variables of the process | |
exec.envs | string | Environment variable names of the process | |
exec.envs_truncated | bool | Indicator of environment variables truncation | |
exec.euid | int | Effective UID of the process | |
exec.euser | string | Effective user of the process | |
exec.file.change_time | int | Change time of the file | |
exec.file.filesystem | string | File’s filesystem | |
exec.file.gid | int | GID of the file’s owner | |
exec.file.group | string | Group of the file’s owner | |
exec.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
exec.file.inode | int | Inode of the file | |
exec.file.mode | int | Mode/rights of the file | Chmod mode constants |
exec.file.modification_time | int | Modification time of the file | |
exec.file.mount_id | int | Mount ID of the file | |
exec.file.name | string | File’s basename | |
exec.file.name.length | int | Length of ’exec.file.name’ string | |
exec.file.path | string | File’s path | |
exec.file.path.length | int | Length of ’exec.file.path’ string | |
exec.file.rights | int | Mode/rights of the file | Chmod mode constants |
exec.file.uid | int | UID of the file’s owner | |
exec.file.user | string | User of the file’s owner | |
exec.fsgid | int | FileSystem-gid of the process | |
exec.fsgroup | string | FileSystem-group of the process | |
exec.fsuid | int | FileSystem-uid of the process | |
exec.fsuser | string | FileSystem-user of the process | |
exec.gid | int | GID of the process | |
exec.group | string | Group of the process | |
exec.interpreter.file.change_time | int | Change time of the file | |
exec.interpreter.file.filesystem | string | File’s filesystem | |
exec.interpreter.file.gid | int | GID of the file’s owner | |
exec.interpreter.file.group | string | Group of the file’s owner | |
exec.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
exec.interpreter.file.inode | int | Inode of the file | |
exec.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
exec.interpreter.file.modification_time | int | Modification time of the file | |
exec.interpreter.file.mount_id | int | Mount ID of the file | |
exec.interpreter.file.name | string | File’s basename | |
exec.interpreter.file.name.length | int | Length of ’exec.interpreter.file.name’ string | |
exec.interpreter.file.path | string | File’s path | |
exec.interpreter.file.path.length | int | Length of ’exec.interpreter.file.path’ string | |
exec.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
exec.interpreter.file.uid | int | UID of the file’s owner | |
exec.interpreter.file.user | string | User of the file’s owner | |
exec.is_kworker | bool | Indicates whether the process is a kworker | |
exec.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
exec.pid | int | Process ID of the process (also called thread group ID) | |
exec.ppid | int | Parent process ID | |
exec.tid | int | Thread ID of the thread | |
exec.tty_name | string | Name of the TTY associated with the process | |
exec.uid | int | UID of the process | |
exec.user | string | User of the process |
exit
A process was terminated
Property | Type | Definition | Constants |
---|---|---|---|
exit.args | string | Arguments of the process (as a string) | |
exit.args_flags | string | Arguments of the process (as an array) | |
exit.args_options | string | Arguments of the process (as an array) | |
exit.args_truncated | bool | Indicator of arguments truncation | |
exit.argv | string | Arguments of the process (as an array) | |
exit.argv0 | string | First argument of the process | |
exit.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
exit.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
exit.cause | int | Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED) | |
exit.code | int | Exit code of the process or number of the signal that caused the process to terminate | |
exit.comm | string | Comm attribute of the process | |
exit.container.id | string | Container ID | |
exit.cookie | int | Cookie of the process | |
exit.created_at | int | Timestamp of the creation of the process | |
exit.egid | int | Effective GID of the process | |
exit.egroup | string | Effective group of the process | |
exit.envp | string | Environment variables of the process | |
exit.envs | string | Environment variable names of the process | |
exit.envs_truncated | bool | Indicator of environment variables truncation | |
exit.euid | int | Effective UID of the process | |
exit.euser | string | Effective user of the process | |
exit.file.change_time | int | Change time of the file | |
exit.file.filesystem | string | File’s filesystem | |
exit.file.gid | int | GID of the file’s owner | |
exit.file.group | string | Group of the file’s owner | |
exit.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
exit.file.inode | int | Inode of the file | |
exit.file.mode | int | Mode/rights of the file | Chmod mode constants |
exit.file.modification_time | int | Modification time of the file | |
exit.file.mount_id | int | Mount ID of the file | |
exit.file.name | string | File’s basename | |
exit.file.name.length | int | Length of ’exit.file.name’ string | |
exit.file.path | string | File’s path | |
exit.file.path.length | int | Length of ’exit.file.path’ string | |
exit.file.rights | int | Mode/rights of the file | Chmod mode constants |
exit.file.uid | int | UID of the file’s owner | |
exit.file.user | string | User of the file’s owner | |
exit.fsgid | int | FileSystem-gid of the process | |
exit.fsgroup | string | FileSystem-group of the process | |
exit.fsuid | int | FileSystem-uid of the process | |
exit.fsuser | string | FileSystem-user of the process | |
exit.gid | int | GID of the process | |
exit.group | string | Group of the process | |
exit.interpreter.file.change_time | int | Change time of the file | |
exit.interpreter.file.filesystem | string | File’s filesystem | |
exit.interpreter.file.gid | int | GID of the file’s owner | |
exit.interpreter.file.group | string | Group of the file’s owner | |
exit.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
exit.interpreter.file.inode | int | Inode of the file | |
exit.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
exit.interpreter.file.modification_time | int | Modification time of the file | |
exit.interpreter.file.mount_id | int | Mount ID of the file | |
exit.interpreter.file.name | string | File’s basename | |
exit.interpreter.file.name.length | int | Length of ’exit.interpreter.file.name’ string | |
exit.interpreter.file.path | string | File’s path | |
exit.interpreter.file.path.length | int | Length of ’exit.interpreter.file.path’ string | |
exit.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
exit.interpreter.file.uid | int | UID of the file’s owner | |
exit.interpreter.file.user | string | User of the file’s owner | |
exit.is_kworker | bool | Indicates whether the process is a kworker | |
exit.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
exit.pid | int | Process ID of the process (also called thread group ID) | |
exit.ppid | int | Parent process ID | |
exit.tid | int | Thread ID of the thread | |
exit.tty_name | string | Name of the TTY associated with the process | |
exit.uid | int | UID of the process | |
exit.user | string | User of the process |
link
Create a new name/alias for a file
Property | Type | Definition | Constants |
---|---|---|---|
link.file.change_time | int | Change time of the file | |
link.file.destination.change_time | int | Change time of the file | |
link.file.destination.filesystem | string | File’s filesystem | |
link.file.destination.gid | int | GID of the file’s owner | |
link.file.destination.group | string | Group of the file’s owner | |
link.file.destination.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
link.file.destination.inode | int | Inode of the file | |
link.file.destination.mode | int | Mode/rights of the file | Chmod mode constants |
link.file.destination.modification_time | int | Modification time of the file | |
link.file.destination.mount_id | int | Mount ID of the file | |
link.file.destination.name | string | File’s basename | |
link.file.destination.name.length | int | Length of ’link.file.destination.name’ string | |
link.file.destination.path | string | File’s path | |
link.file.destination.path.length | int | Length of ’link.file.destination.path’ string | |
link.file.destination.rights | int | Mode/rights of the file | Chmod mode constants |
link.file.destination.uid | int | UID of the file’s owner | |
link.file.destination.user | string | User of the file’s owner | |
link.file.filesystem | string | File’s filesystem | |
link.file.gid | int | GID of the file’s owner | |
link.file.group | string | Group of the file’s owner | |
link.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
link.file.inode | int | Inode of the file | |
link.file.mode | int | Mode/rights of the file | Chmod mode constants |
link.file.modification_time | int | Modification time of the file | |
link.file.mount_id | int | Mount ID of the file | |
link.file.name | string | File’s basename | |
link.file.name.length | int | Length of ’link.file.name’ string | |
link.file.path | string | File’s path | |
link.file.path.length | int | Length of ’link.file.path’ string | |
link.file.rights | int | Mode/rights of the file | Chmod mode constants |
link.file.uid | int | UID of the file’s owner | |
link.file.user | string | User of the file’s owner | |
link.retval | int | Return value of the syscall | Error Constants |
load_module
A new kernel module was loaded
Property | Type | Definition | Constants |
---|---|---|---|
load_module.file.change_time | int | Change time of the file | |
load_module.file.filesystem | string | File’s filesystem | |
load_module.file.gid | int | GID of the file’s owner | |
load_module.file.group | string | Group of the file’s owner | |
load_module.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
load_module.file.inode | int | Inode of the file | |
load_module.file.mode | int | Mode/rights of the file | Chmod mode constants |
load_module.file.modification_time | int | Modification time of the file | |
load_module.file.mount_id | int | Mount ID of the file | |
load_module.file.name | string | File’s basename | |
load_module.file.name.length | int | Length of ’load_module.file.name’ string | |
load_module.file.path | string | File’s path | |
load_module.file.path.length | int | Length of ’load_module.file.path’ string | |
load_module.file.rights | int | Mode/rights of the file | Chmod mode constants |
load_module.file.uid | int | UID of the file’s owner | |
load_module.file.user | string | User of the file’s owner | |
load_module.loaded_from_memory | bool | Indicates if the kernel module was loaded from memory | |
load_module.name | string | Name of the new kernel module | |
load_module.retval | int | Return value of the syscall | Error Constants |
mkdir
A directory was created
Property | Type | Definition | Constants |
---|---|---|---|
mkdir.file.change_time | int | Change time of the file | |
mkdir.file.destination.mode | int | Mode/rights of the new directory | Chmod mode constants |
mkdir.file.destination.rights | int | Mode/rights of the new directory | Chmod mode constants |
mkdir.file.filesystem | string | File’s filesystem | |
mkdir.file.gid | int | GID of the file’s owner | |
mkdir.file.group | string | Group of the file’s owner | |
mkdir.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
mkdir.file.inode | int | Inode of the file | |
mkdir.file.mode | int | Mode/rights of the file | Chmod mode constants |
mkdir.file.modification_time | int | Modification time of the file | |
mkdir.file.mount_id | int | Mount ID of the file | |
mkdir.file.name | string | File’s basename | |
mkdir.file.name.length | int | Length of ‘mkdir.file.name’ string | |
mkdir.file.path | string | File’s path | |
mkdir.file.path.length | int | Length of ‘mkdir.file.path’ string | |
mkdir.file.rights | int | Mode/rights of the file | Chmod mode constants |
mkdir.file.uid | int | UID of the file’s owner | |
mkdir.file.user | string | User of the file’s owner | |
mkdir.retval | int | Return value of the syscall | Error Constants |
mmap
A mmap command was executed
Property | Type | Definition | Constants |
---|---|---|---|
mmap.file.change_time | int | Change time of the file | |
mmap.file.filesystem | string | File’s filesystem | |
mmap.file.gid | int | GID of the file’s owner | |
mmap.file.group | string | Group of the file’s owner | |
mmap.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
mmap.file.inode | int | Inode of the file | |
mmap.file.mode | int | Mode/rights of the file | Chmod mode constants |
mmap.file.modification_time | int | Modification time of the file | |
mmap.file.mount_id | int | Mount ID of the file | |
mmap.file.name | string | File’s basename | |
mmap.file.name.length | int | Length of ‘mmap.file.name’ string | |
mmap.file.path | string | File’s path | |
mmap.file.path.length | int | Length of ‘mmap.file.path’ string | |
mmap.file.rights | int | Mode/rights of the file | Chmod mode constants |
mmap.file.uid | int | UID of the file’s owner | |
mmap.file.user | string | User of the file’s owner | |
mmap.flags | int | memory segment flags | MMap flags |
mmap.protection | int | memory segment protection | Protection constants |
mmap.retval | int | Return value of the syscall | Error Constants |
mount
This event type is experimental and may change in the future.
A filesystem was mounted
Property | Type | Definition | Constants |
---|---|---|---|
mount.fs_type | string | Type of the mounted file system | |
mount.mountpoint.path | string | Path of the mount point | |
mount.retval | int | Return value of the syscall | Error Constants |
mount.source.path | string | Source path of a bind mount |
mprotect
A mprotect command was executed
Property | Type | Definition | Constants |
---|---|---|---|
mprotect.req_protection | int | new memory segment protection | Virtual Memory flags |
mprotect.retval | int | Return value of the syscall | Error Constants |
mprotect.vm_protection | int | initial memory segment protection | Virtual Memory flags |
open
A file was opened
Property | Type | Definition | Constants |
---|---|---|---|
open.file.change_time | int | Change time of the file | |
open.file.destination.mode | int | Mode of the created file | Chmod mode constants |
open.file.filesystem | string | File’s filesystem | |
open.file.gid | int | GID of the file’s owner | |
open.file.group | string | Group of the file’s owner | |
open.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
open.file.inode | int | Inode of the file | |
open.file.mode | int | Mode/rights of the file | Chmod mode constants |
open.file.modification_time | int | Modification time of the file | |
open.file.mount_id | int | Mount ID of the file | |
open.file.name | string | File’s basename | |
open.file.name.length | int | Length of ‘open.file.name’ string | |
open.file.path | string | File’s path | |
open.file.path.length | int | Length of ‘open.file.path’ string | |
open.file.rights | int | Mode/rights of the file | Chmod mode constants |
open.file.uid | int | UID of the file’s owner | |
open.file.user | string | User of the file’s owner | |
open.flags | int | Flags used when opening the file | Open flags |
open.retval | int | Return value of the syscall | Error Constants |
ptrace
A ptrace command was executed
Property | Type | Definition | Constants |
---|---|---|---|
ptrace.request | int | ptrace request | Ptrace constants |
ptrace.retval | int | Return value of the syscall | Error Constants |
ptrace.tracee.ancestors.args | string | Arguments of the process (as a string) | |
ptrace.tracee.ancestors.args_flags | string | Arguments of the process (as an array) | |
ptrace.tracee.ancestors.args_options | string | Arguments of the process (as an array) | |
ptrace.tracee.ancestors.args_truncated | bool | Indicator of arguments truncation | |
ptrace.tracee.ancestors.argv | string | Arguments of the process (as an array) | |
ptrace.tracee.ancestors.argv0 | string | First argument of the process | |
ptrace.tracee.ancestors.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
ptrace.tracee.ancestors.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
ptrace.tracee.ancestors.comm | string | Comm attribute of the process | |
ptrace.tracee.ancestors.container.id | string | Container ID | |
ptrace.tracee.ancestors.cookie | int | Cookie of the process | |
ptrace.tracee.ancestors.created_at | int | Timestamp of the creation of the process | |
ptrace.tracee.ancestors.egid | int | Effective GID of the process | |
ptrace.tracee.ancestors.egroup | string | Effective group of the process | |
ptrace.tracee.ancestors.envp | string | Environment variables of the process | |
ptrace.tracee.ancestors.envs | string | Environment variable names of the process | |
ptrace.tracee.ancestors.envs_truncated | bool | Indicator of environment variables truncation | |
ptrace.tracee.ancestors.euid | int | Effective UID of the process | |
ptrace.tracee.ancestors.euser | string | Effective user of the process | |
ptrace.tracee.ancestors.file.change_time | int | Change time of the file | |
ptrace.tracee.ancestors.file.filesystem | string | File’s filesystem | |
ptrace.tracee.ancestors.file.gid | int | GID of the file’s owner | |
ptrace.tracee.ancestors.file.group | string | Group of the file’s owner | |
ptrace.tracee.ancestors.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
ptrace.tracee.ancestors.file.inode | int | Inode of the file | |
ptrace.tracee.ancestors.file.mode | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.ancestors.file.modification_time | int | Modification time of the file | |
ptrace.tracee.ancestors.file.mount_id | int | Mount ID of the file | |
ptrace.tracee.ancestors.file.name | string | File’s basename | |
ptrace.tracee.ancestors.file.name.length | int | Length of ‘ptrace.tracee.ancestors.file.name’ string | |
ptrace.tracee.ancestors.file.path | string | File’s path | |
ptrace.tracee.ancestors.file.path.length | int | Length of ‘ptrace.tracee.ancestors.file.path’ string | |
ptrace.tracee.ancestors.file.rights | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.ancestors.file.uid | int | UID of the file’s owner | |
ptrace.tracee.ancestors.file.user | string | User of the file’s owner | |
ptrace.tracee.ancestors.fsgid | int | FileSystem-gid of the process | |
ptrace.tracee.ancestors.fsgroup | string | FileSystem-group of the process | |
ptrace.tracee.ancestors.fsuid | int | FileSystem-uid of the process | |
ptrace.tracee.ancestors.fsuser | string | FileSystem-user of the process | |
ptrace.tracee.ancestors.gid | int | GID of the process | |
ptrace.tracee.ancestors.group | string | Group of the process | |
ptrace.tracee.ancestors.interpreter.file.change_time | int | Change time of the file | |
ptrace.tracee.ancestors.interpreter.file.filesystem | string | File’s filesystem | |
ptrace.tracee.ancestors.interpreter.file.gid | int | GID of the file’s owner | |
ptrace.tracee.ancestors.interpreter.file.group | string | Group of the file’s owner | |
ptrace.tracee.ancestors.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
ptrace.tracee.ancestors.interpreter.file.inode | int | Inode of the file | |
ptrace.tracee.ancestors.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.ancestors.interpreter.file.modification_time | int | Modification time of the file | |
ptrace.tracee.ancestors.interpreter.file.mount_id | int | Mount ID of the file | |
ptrace.tracee.ancestors.interpreter.file.name | string | File’s basename | |
ptrace.tracee.ancestors.interpreter.file.name.length | int | Length of ‘ptrace.tracee.ancestors.interpreter.file.name’ string | |
ptrace.tracee.ancestors.interpreter.file.path | string | File’s path | |
ptrace.tracee.ancestors.interpreter.file.path.length | int | Length of ‘ptrace.tracee.ancestors.interpreter.file.path’ string | |
ptrace.tracee.ancestors.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.ancestors.interpreter.file.uid | int | UID of the file’s owner | |
ptrace.tracee.ancestors.interpreter.file.user | string | User of the file’s owner | |
ptrace.tracee.ancestors.is_kworker | bool | Indicates whether the process is a kworker | |
ptrace.tracee.ancestors.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
ptrace.tracee.ancestors.pid | int | Process ID of the process (also called thread group ID) | |
ptrace.tracee.ancestors.ppid | int | Parent process ID | |
ptrace.tracee.ancestors.tid | int | Thread ID of the thread | |
ptrace.tracee.ancestors.tty_name | string | Name of the TTY associated with the process | |
ptrace.tracee.ancestors.uid | int | UID of the process | |
ptrace.tracee.ancestors.user | string | User of the process | |
ptrace.tracee.args | string | Arguments of the process (as a string) | |
ptrace.tracee.args_flags | string | Arguments of the process (as an array) | |
ptrace.tracee.args_options | string | Arguments of the process (as an array) | |
ptrace.tracee.args_truncated | bool | Indicator of arguments truncation | |
ptrace.tracee.argv | string | Arguments of the process (as an array) | |
ptrace.tracee.argv0 | string | First argument of the process | |
ptrace.tracee.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
ptrace.tracee.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
ptrace.tracee.comm | string | Comm attribute of the process | |
ptrace.tracee.container.id | string | Container ID | |
ptrace.tracee.cookie | int | Cookie of the process | |
ptrace.tracee.created_at | int | Timestamp of the creation of the process | |
ptrace.tracee.egid | int | Effective GID of the process | |
ptrace.tracee.egroup | string | Effective group of the process | |
ptrace.tracee.envp | string | Environment variables of the process | |
ptrace.tracee.envs | string | Environment variable names of the process | |
ptrace.tracee.envs_truncated | bool | Indicator of environment variables truncation | |
ptrace.tracee.euid | int | Effective UID of the process | |
ptrace.tracee.euser | string | Effective user of the process | |
ptrace.tracee.file.change_time | int | Change time of the file | |
ptrace.tracee.file.filesystem | string | File’s filesystem | |
ptrace.tracee.file.gid | int | GID of the file’s owner | |
ptrace.tracee.file.group | string | Group of the file’s owner | |
ptrace.tracee.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
ptrace.tracee.file.inode | int | Inode of the file | |
ptrace.tracee.file.mode | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.file.modification_time | int | Modification time of the file | |
ptrace.tracee.file.mount_id | int | Mount ID of the file | |
ptrace.tracee.file.name | string | File’s basename | |
ptrace.tracee.file.name.length | int | Length of ‘ptrace.tracee.file.name’ string | |
ptrace.tracee.file.path | string | File’s path | |
ptrace.tracee.file.path.length | int | Length of ‘ptrace.tracee.file.path’ string | |
ptrace.tracee.file.rights | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.file.uid | int | UID of the file’s owner | |
ptrace.tracee.file.user | string | User of the file’s owner | |
ptrace.tracee.fsgid | int | FileSystem-gid of the process | |
ptrace.tracee.fsgroup | string | FileSystem-group of the process | |
ptrace.tracee.fsuid | int | FileSystem-uid of the process | |
ptrace.tracee.fsuser | string | FileSystem-user of the process | |
ptrace.tracee.gid | int | GID of the process | |
ptrace.tracee.group | string | Group of the process | |
ptrace.tracee.interpreter.file.change_time | int | Change time of the file | |
ptrace.tracee.interpreter.file.filesystem | string | File’s filesystem | |
ptrace.tracee.interpreter.file.gid | int | GID of the file’s owner | |
ptrace.tracee.interpreter.file.group | string | Group of the file’s owner | |
ptrace.tracee.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
ptrace.tracee.interpreter.file.inode | int | Inode of the file | |
ptrace.tracee.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.interpreter.file.modification_time | int | Modification time of the file | |
ptrace.tracee.interpreter.file.mount_id | int | Mount ID of the file | |
ptrace.tracee.interpreter.file.name | string | File’s basename | |
ptrace.tracee.interpreter.file.name.length | int | Length of ‘ptrace.tracee.interpreter.file.name’ string | |
ptrace.tracee.interpreter.file.path | string | File’s path | |
ptrace.tracee.interpreter.file.path.length | int | Length of ‘ptrace.tracee.interpreter.file.path’ string | |
ptrace.tracee.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.interpreter.file.uid | int | UID of the file’s owner | |
ptrace.tracee.interpreter.file.user | string | User of the file’s owner | |
ptrace.tracee.is_kworker | bool | Indicates whether the process is a kworker | |
ptrace.tracee.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
ptrace.tracee.parent.args | string | Arguments of the process (as a string) | |
ptrace.tracee.parent.args_flags | string | Arguments of the process (as an array) | |
ptrace.tracee.parent.args_options | string | Arguments of the process (as an array) | |
ptrace.tracee.parent.args_truncated | bool | Indicator of arguments truncation | |
ptrace.tracee.parent.argv | string | Arguments of the process (as an array) | |
ptrace.tracee.parent.argv0 | string | First argument of the process | |
ptrace.tracee.parent.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
ptrace.tracee.parent.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
ptrace.tracee.parent.comm | string | Comm attribute of the process | |
ptrace.tracee.parent.container.id | string | Container ID | |
ptrace.tracee.parent.cookie | int | Cookie of the process | |
ptrace.tracee.parent.created_at | int | Timestamp of the creation of the process | |
ptrace.tracee.parent.egid | int | Effective GID of the process | |
ptrace.tracee.parent.egroup | string | Effective group of the process | |
ptrace.tracee.parent.envp | string | Environment variables of the process | |
ptrace.tracee.parent.envs | string | Environment variable names of the process | |
ptrace.tracee.parent.envs_truncated | bool | Indicator of environment variables truncation | |
ptrace.tracee.parent.euid | int | Effective UID of the process | |
ptrace.tracee.parent.euser | string | Effective user of the process | |
ptrace.tracee.parent.file.change_time | int | Change time of the file | |
ptrace.tracee.parent.file.filesystem | string | File’s filesystem | |
ptrace.tracee.parent.file.gid | int | GID of the file’s owner | |
ptrace.tracee.parent.file.group | string | Group of the file’s owner | |
ptrace.tracee.parent.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
ptrace.tracee.parent.file.inode | int | Inode of the file | |
ptrace.tracee.parent.file.mode | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.parent.file.modification_time | int | Modification time of the file | |
ptrace.tracee.parent.file.mount_id | int | Mount ID of the file | |
ptrace.tracee.parent.file.name | string | File’s basename | |
ptrace.tracee.parent.file.name.length | int | Length of ‘ptrace.tracee.parent.file.name’ string | |
ptrace.tracee.parent.file.path | string | File’s path | |
ptrace.tracee.parent.file.path.length | int | Length of ‘ptrace.tracee.parent.file.path’ string | |
ptrace.tracee.parent.file.rights | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.parent.file.uid | int | UID of the file’s owner | |
ptrace.tracee.parent.file.user | string | User of the file’s owner | |
ptrace.tracee.parent.fsgid | int | FileSystem-gid of the process | |
ptrace.tracee.parent.fsgroup | string | FileSystem-group of the process | |
ptrace.tracee.parent.fsuid | int | FileSystem-uid of the process | |
ptrace.tracee.parent.fsuser | string | FileSystem-user of the process | |
ptrace.tracee.parent.gid | int | GID of the process | |
ptrace.tracee.parent.group | string | Group of the process | |
ptrace.tracee.parent.interpreter.file.change_time | int | Change time of the file | |
ptrace.tracee.parent.interpreter.file.filesystem | string | File’s filesystem | |
ptrace.tracee.parent.interpreter.file.gid | int | GID of the file’s owner | |
ptrace.tracee.parent.interpreter.file.group | string | Group of the file’s owner | |
ptrace.tracee.parent.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
ptrace.tracee.parent.interpreter.file.inode | int | Inode of the file | |
ptrace.tracee.parent.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.parent.interpreter.file.modification_time | int | Modification time of the file | |
ptrace.tracee.parent.interpreter.file.mount_id | int | Mount ID of the file | |
ptrace.tracee.parent.interpreter.file.name | string | File’s basename | |
ptrace.tracee.parent.interpreter.file.name.length | int | Length of ‘ptrace.tracee.parent.interpreter.file.name’ string | |
ptrace.tracee.parent.interpreter.file.path | string | File’s path | |
ptrace.tracee.parent.interpreter.file.path.length | int | Length of ‘ptrace.tracee.parent.interpreter.file.path’ string | |
ptrace.tracee.parent.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
ptrace.tracee.parent.interpreter.file.uid | int | UID of the file’s owner | |
ptrace.tracee.parent.interpreter.file.user | string | User of the file’s owner | |
ptrace.tracee.parent.is_kworker | bool | Indicates whether the process is a kworker | |
ptrace.tracee.parent.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
ptrace.tracee.parent.pid | int | Process ID of the process (also called thread group ID) | |
ptrace.tracee.parent.ppid | int | Parent process ID | |
ptrace.tracee.parent.tid | int | Thread ID of the thread | |
ptrace.tracee.parent.tty_name | string | Name of the TTY associated with the process | |
ptrace.tracee.parent.uid | int | UID of the process | |
ptrace.tracee.parent.user | string | User of the process | |
ptrace.tracee.pid | int | Process ID of the process (also called thread group ID) | |
ptrace.tracee.ppid | int | Parent process ID | |
ptrace.tracee.tid | int | Thread ID of the thread | |
ptrace.tracee.tty_name | string | Name of the TTY associated with the process | |
ptrace.tracee.uid | int | UID of the process | |
ptrace.tracee.user | string | User of the process |
removexattr
Remove extended attributes
Property | Type | Definition | Constants |
---|---|---|---|
removexattr.file.change_time | int | Change time of the file | |
removexattr.file.destination.name | string | Name of the extended attribute | |
removexattr.file.destination.namespace | string | Namespace of the extended attribute | |
removexattr.file.filesystem | string | File’s filesystem | |
removexattr.file.gid | int | GID of the file’s owner | |
removexattr.file.group | string | Group of the file’s owner | |
removexattr.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
removexattr.file.inode | int | Inode of the file | |
removexattr.file.mode | int | Mode/rights of the file | Chmod mode constants |
removexattr.file.modification_time | int | Modification time of the file | |
removexattr.file.mount_id | int | Mount ID of the file | |
removexattr.file.name | string | File’s basename | |
removexattr.file.name.length | int | Length of ‘removexattr.file.name’ string | |
removexattr.file.path | string | File’s path | |
removexattr.file.path.length | int | Length of ‘removexattr.file.path’ string | |
removexattr.file.rights | int | Mode/rights of the file | Chmod mode constants |
removexattr.file.uid | int | UID of the file’s owner | |
removexattr.file.user | string | User of the file’s owner | |
removexattr.retval | int | Return value of the syscall | Error Constants |
rename
A file/directory was renamed
Property | Type | Definition | Constants |
---|---|---|---|
rename.file.change_time | int | Change time of the file | |
rename.file.destination.change_time | int | Change time of the file | |
rename.file.destination.filesystem | string | File’s filesystem | |
rename.file.destination.gid | int | GID of the file’s owner | |
rename.file.destination.group | string | Group of the file’s owner | |
rename.file.destination.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
rename.file.destination.inode | int | Inode of the file | |
rename.file.destination.mode | int | Mode/rights of the file | Chmod mode constants |
rename.file.destination.modification_time | int | Modification time of the file | |
rename.file.destination.mount_id | int | Mount ID of the file | |
rename.file.destination.name | string | File’s basename | |
rename.file.destination.name.length | int | Length of ‘rename.file.destination.name’ string | |
rename.file.destination.path | string | File’s path | |
rename.file.destination.path.length | int | Length of ‘rename.file.destination.path’ string | |
rename.file.destination.rights | int | Mode/rights of the file | Chmod mode constants |
rename.file.destination.uid | int | UID of the file’s owner | |
rename.file.destination.user | string | User of the file’s owner | |
rename.file.filesystem | string | File’s filesystem | |
rename.file.gid | int | GID of the file’s owner | |
rename.file.group | string | Group of the file’s owner | |
rename.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
rename.file.inode | int | Inode of the file | |
rename.file.mode | int | Mode/rights of the file | Chmod mode constants |
rename.file.modification_time | int | Modification time of the file | |
rename.file.mount_id | int | Mount ID of the file | |
rename.file.name | string | File’s basename | |
rename.file.name.length | int | Length of ‘rename.file.name’ string | |
rename.file.path | string | File’s path | |
rename.file.path.length | int | Length of ‘rename.file.path’ string | |
rename.file.rights | int | Mode/rights of the file | Chmod mode constants |
rename.file.uid | int | UID of the file’s owner | |
rename.file.user | string | User of the file’s owner | |
rename.retval | int | Return value of the syscall | Error Constants |
rmdir
A directory was removed
Property | Type | Definition | Constants |
---|---|---|---|
rmdir.file.change_time | int | Change time of the file | |
rmdir.file.filesystem | string | File’s filesystem | |
rmdir.file.gid | int | GID of the file’s owner | |
rmdir.file.group | string | Group of the file’s owner | |
rmdir.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
rmdir.file.inode | int | Inode of the file | |
rmdir.file.mode | int | Mode/rights of the file | Chmod mode constants |
rmdir.file.modification_time | int | Modification time of the file | |
rmdir.file.mount_id | int | Mount ID of the file | |
rmdir.file.name | string | File’s basename | |
rmdir.file.name.length | int | Length of ‘rmdir.file.name’ string | |
rmdir.file.path | string | File’s path | |
rmdir.file.path.length | int | Length of ‘rmdir.file.path’ string | |
rmdir.file.rights | int | Mode/rights of the file | Chmod mode constants |
rmdir.file.uid | int | UID of the file’s owner | |
rmdir.file.user | string | User of the file’s owner | |
rmdir.retval | int | Return value of the syscall | Error Constants |
selinux
An SELinux operation was run
Property | Type | Definition | Constants |
---|---|---|---|
selinux.bool.name | string | SELinux boolean name | |
selinux.bool.state | string | SELinux boolean new value | |
selinux.bool_commit.state | bool | Indicator of a SELinux boolean commit operation | |
selinux.enforce.status | string | SELinux enforcement status (one of “enforcing”, “permissive”, “disabled”") |
setgid
A process changed its effective gid
Property | Type | Definition | Constants |
---|---|---|---|
setgid.egid | int | New effective GID of the process | |
setgid.egroup | string | New effective group of the process | |
setgid.fsgid | int | New FileSystem GID of the process | |
setgid.fsgroup | string | New FileSystem group of the process | |
setgid.gid | int | New GID of the process | |
setgid.group | string | New group of the process |
setuid
A process changed its effective uid
Property | Type | Definition | Constants |
---|---|---|---|
setuid.euid | int | New effective UID of the process | |
setuid.euser | string | New effective user of the process | |
setuid.fsuid | int | New FileSystem UID of the process | |
setuid.fsuser | string | New FileSystem user of the process | |
setuid.uid | int | New UID of the process | |
setuid.user | string | New user of the process |
setxattr
Set exteneded attributes
Property | Type | Definition | Constants |
---|---|---|---|
setxattr.file.change_time | int | Change time of the file | |
setxattr.file.destination.name | string | Name of the extended attribute | |
setxattr.file.destination.namespace | string | Namespace of the extended attribute | |
setxattr.file.filesystem | string | File’s filesystem | |
setxattr.file.gid | int | GID of the file’s owner | |
setxattr.file.group | string | Group of the file’s owner | |
setxattr.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
setxattr.file.inode | int | Inode of the file | |
setxattr.file.mode | int | Mode/rights of the file | Chmod mode constants |
setxattr.file.modification_time | int | Modification time of the file | |
setxattr.file.mount_id | int | Mount ID of the file | |
setxattr.file.name | string | File’s basename | |
setxattr.file.name.length | int | Length of ‘setxattr.file.name’ string | |
setxattr.file.path | string | File’s path | |
setxattr.file.path.length | int | Length of ‘setxattr.file.path’ string | |
setxattr.file.rights | int | Mode/rights of the file | Chmod mode constants |
setxattr.file.uid | int | UID of the file’s owner | |
setxattr.file.user | string | User of the file’s owner | |
setxattr.retval | int | Return value of the syscall | Error Constants |
signal
A signal was sent
Property | Type | Definition | Constants |
---|---|---|---|
signal.pid | int | Target PID | |
signal.retval | int | Return value of the syscall | Error Constants |
signal.target.ancestors.args | string | Arguments of the process (as a string) | |
signal.target.ancestors.args_flags | string | Arguments of the process (as an array) | |
signal.target.ancestors.args_options | string | Arguments of the process (as an array) | |
signal.target.ancestors.args_truncated | bool | Indicator of arguments truncation | |
signal.target.ancestors.argv | string | Arguments of the process (as an array) | |
signal.target.ancestors.argv0 | string | First argument of the process | |
signal.target.ancestors.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
signal.target.ancestors.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
signal.target.ancestors.comm | string | Comm attribute of the process | |
signal.target.ancestors.container.id | string | Container ID | |
signal.target.ancestors.cookie | int | Cookie of the process | |
signal.target.ancestors.created_at | int | Timestamp of the creation of the process | |
signal.target.ancestors.egid | int | Effective GID of the process | |
signal.target.ancestors.egroup | string | Effective group of the process | |
signal.target.ancestors.envp | string | Environment variables of the process | |
signal.target.ancestors.envs | string | Environment variable names of the process | |
signal.target.ancestors.envs_truncated | bool | Indicator of environment variables truncation | |
signal.target.ancestors.euid | int | Effective UID of the process | |
signal.target.ancestors.euser | string | Effective user of the process | |
signal.target.ancestors.file.change_time | int | Change time of the file | |
signal.target.ancestors.file.filesystem | string | File’s filesystem | |
signal.target.ancestors.file.gid | int | GID of the file’s owner | |
signal.target.ancestors.file.group | string | Group of the file’s owner | |
signal.target.ancestors.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
signal.target.ancestors.file.inode | int | Inode of the file | |
signal.target.ancestors.file.mode | int | Mode/rights of the file | Chmod mode constants |
signal.target.ancestors.file.modification_time | int | Modification time of the file | |
signal.target.ancestors.file.mount_id | int | Mount ID of the file | |
signal.target.ancestors.file.name | string | File’s basename | |
signal.target.ancestors.file.name.length | int | Length of ‘signal.target.ancestors.file.name’ string | |
signal.target.ancestors.file.path | string | File’s path | |
signal.target.ancestors.file.path.length | int | Length of ‘signal.target.ancestors.file.path’ string | |
signal.target.ancestors.file.rights | int | Mode/rights of the file | Chmod mode constants |
signal.target.ancestors.file.uid | int | UID of the file’s owner | |
signal.target.ancestors.file.user | string | User of the file’s owner | |
signal.target.ancestors.fsgid | int | FileSystem-gid of the process | |
signal.target.ancestors.fsgroup | string | FileSystem-group of the process | |
signal.target.ancestors.fsuid | int | FileSystem-uid of the process | |
signal.target.ancestors.fsuser | string | FileSystem-user of the process | |
signal.target.ancestors.gid | int | GID of the process | |
signal.target.ancestors.group | string | Group of the process | |
signal.target.ancestors.interpreter.file.change_time | int | Change time of the file | |
signal.target.ancestors.interpreter.file.filesystem | string | File’s filesystem | |
signal.target.ancestors.interpreter.file.gid | int | GID of the file’s owner | |
signal.target.ancestors.interpreter.file.group | string | Group of the file’s owner | |
signal.target.ancestors.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
signal.target.ancestors.interpreter.file.inode | int | Inode of the file | |
signal.target.ancestors.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
signal.target.ancestors.interpreter.file.modification_time | int | Modification time of the file | |
signal.target.ancestors.interpreter.file.mount_id | int | Mount ID of the file | |
signal.target.ancestors.interpreter.file.name | string | File’s basename | |
signal.target.ancestors.interpreter.file.name.length | int | Length of ‘signal.target.ancestors.interpreter.file.name’ string | |
signal.target.ancestors.interpreter.file.path | string | File’s path | |
signal.target.ancestors.interpreter.file.path.length | int | Length of ‘signal.target.ancestors.interpreter.file.path’ string | |
signal.target.ancestors.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
signal.target.ancestors.interpreter.file.uid | int | UID of the file’s owner | |
signal.target.ancestors.interpreter.file.user | string | User of the file’s owner | |
signal.target.ancestors.is_kworker | bool | Indicates whether the process is a kworker | |
signal.target.ancestors.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
signal.target.ancestors.pid | int | Process ID of the process (also called thread group ID) | |
signal.target.ancestors.ppid | int | Parent process ID | |
signal.target.ancestors.tid | int | Thread ID of the thread | |
signal.target.ancestors.tty_name | string | Name of the TTY associated with the process | |
signal.target.ancestors.uid | int | UID of the process | |
signal.target.ancestors.user | string | User of the process | |
signal.target.args | string | Arguments of the process (as a string) | |
signal.target.args_flags | string | Arguments of the process (as an array) | |
signal.target.args_options | string | Arguments of the process (as an array) | |
signal.target.args_truncated | bool | Indicator of arguments truncation | |
signal.target.argv | string | Arguments of the process (as an array) | |
signal.target.argv0 | string | First argument of the process | |
signal.target.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
signal.target.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
signal.target.comm | string | Comm attribute of the process | |
signal.target.container.id | string | Container ID | |
signal.target.cookie | int | Cookie of the process | |
signal.target.created_at | int | Timestamp of the creation of the process | |
signal.target.egid | int | Effective GID of the process | |
signal.target.egroup | string | Effective group of the process | |
signal.target.envp | string | Environment variables of the process | |
signal.target.envs | string | Environment variable names of the process | |
signal.target.envs_truncated | bool | Indicator of environment variables truncation | |
signal.target.euid | int | Effective UID of the process | |
signal.target.euser | string | Effective user of the process | |
signal.target.file.change_time | int | Change time of the file | |
signal.target.file.filesystem | string | File’s filesystem | |
signal.target.file.gid | int | GID of the file’s owner | |
signal.target.file.group | string | Group of the file’s owner | |
signal.target.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
signal.target.file.inode | int | Inode of the file | |
signal.target.file.mode | int | Mode/rights of the file | Chmod mode constants |
signal.target.file.modification_time | int | Modification time of the file | |
signal.target.file.mount_id | int | Mount ID of the file | |
signal.target.file.name | string | File’s basename | |
signal.target.file.name.length | int | Length of ‘signal.target.file.name’ string | |
signal.target.file.path | string | File’s path | |
signal.target.file.path.length | int | Length of ‘signal.target.file.path’ string | |
signal.target.file.rights | int | Mode/rights of the file | Chmod mode constants |
signal.target.file.uid | int | UID of the file’s owner | |
signal.target.file.user | string | User of the file’s owner | |
signal.target.fsgid | int | FileSystem-gid of the process | |
signal.target.fsgroup | string | FileSystem-group of the process | |
signal.target.fsuid | int | FileSystem-uid of the process | |
signal.target.fsuser | string | FileSystem-user of the process | |
signal.target.gid | int | GID of the process | |
signal.target.group | string | Group of the process | |
signal.target.interpreter.file.change_time | int | Change time of the file | |
signal.target.interpreter.file.filesystem | string | File’s filesystem | |
signal.target.interpreter.file.gid | int | GID of the file’s owner | |
signal.target.interpreter.file.group | string | Group of the file’s owner | |
signal.target.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
signal.target.interpreter.file.inode | int | Inode of the file | |
signal.target.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
signal.target.interpreter.file.modification_time | int | Modification time of the file | |
signal.target.interpreter.file.mount_id | int | Mount ID of the file | |
signal.target.interpreter.file.name | string | File’s basename | |
signal.target.interpreter.file.name.length | int | Length of ‘signal.target.interpreter.file.name’ string | |
signal.target.interpreter.file.path | string | File’s path | |
signal.target.interpreter.file.path.length | int | Length of ‘signal.target.interpreter.file.path’ string | |
signal.target.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
signal.target.interpreter.file.uid | int | UID of the file’s owner | |
signal.target.interpreter.file.user | string | User of the file’s owner | |
signal.target.is_kworker | bool | Indicates whether the process is a kworker | |
signal.target.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
signal.target.parent.args | string | Arguments of the process (as a string) | |
signal.target.parent.args_flags | string | Arguments of the process (as an array) | |
signal.target.parent.args_options | string | Arguments of the process (as an array) | |
signal.target.parent.args_truncated | bool | Indicator of arguments truncation | |
signal.target.parent.argv | string | Arguments of the process (as an array) | |
signal.target.parent.argv0 | string | First argument of the process | |
signal.target.parent.cap_effective | int | Effective capability set of the process | Kernel Capability constants |
signal.target.parent.cap_permitted | int | Permitted capability set of the process | Kernel Capability constants |
signal.target.parent.comm | string | Comm attribute of the process | |
signal.target.parent.container.id | string | Container ID | |
signal.target.parent.cookie | int | Cookie of the process | |
signal.target.parent.created_at | int | Timestamp of the creation of the process | |
signal.target.parent.egid | int | Effective GID of the process | |
signal.target.parent.egroup | string | Effective group of the process | |
signal.target.parent.envp | string | Environment variables of the process | |
signal.target.parent.envs | string | Environment variable names of the process | |
signal.target.parent.envs_truncated | bool | Indicator of environment variables truncation | |
signal.target.parent.euid | int | Effective UID of the process | |
signal.target.parent.euser | string | Effective user of the process | |
signal.target.parent.file.change_time | int | Change time of the file | |
signal.target.parent.file.filesystem | string | File’s filesystem | |
signal.target.parent.file.gid | int | GID of the file’s owner | |
signal.target.parent.file.group | string | Group of the file’s owner | |
signal.target.parent.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
signal.target.parent.file.inode | int | Inode of the file | |
signal.target.parent.file.mode | int | Mode/rights of the file | Chmod mode constants |
signal.target.parent.file.modification_time | int | Modification time of the file | |
signal.target.parent.file.mount_id | int | Mount ID of the file | |
signal.target.parent.file.name | string | File’s basename | |
signal.target.parent.file.name.length | int | Length of ‘signal.target.parent.file.name’ string | |
signal.target.parent.file.path | string | File’s path | |
signal.target.parent.file.path.length | int | Length of ‘signal.target.parent.file.path’ string | |
signal.target.parent.file.rights | int | Mode/rights of the file | Chmod mode constants |
signal.target.parent.file.uid | int | UID of the file’s owner | |
signal.target.parent.file.user | string | User of the file’s owner | |
signal.target.parent.fsgid | int | FileSystem-gid of the process | |
signal.target.parent.fsgroup | string | FileSystem-group of the process | |
signal.target.parent.fsuid | int | FileSystem-uid of the process | |
signal.target.parent.fsuser | string | FileSystem-user of the process | |
signal.target.parent.gid | int | GID of the process | |
signal.target.parent.group | string | Group of the process | |
signal.target.parent.interpreter.file.change_time | int | Change time of the file | |
signal.target.parent.interpreter.file.filesystem | string | File’s filesystem | |
signal.target.parent.interpreter.file.gid | int | GID of the file’s owner | |
signal.target.parent.interpreter.file.group | string | Group of the file’s owner | |
signal.target.parent.interpreter.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
signal.target.parent.interpreter.file.inode | int | Inode of the file | |
signal.target.parent.interpreter.file.mode | int | Mode/rights of the file | Chmod mode constants |
signal.target.parent.interpreter.file.modification_time | int | Modification time of the file | |
signal.target.parent.interpreter.file.mount_id | int | Mount ID of the file | |
signal.target.parent.interpreter.file.name | string | File’s basename | |
signal.target.parent.interpreter.file.name.length | int | Length of ‘signal.target.parent.interpreter.file.name’ string | |
signal.target.parent.interpreter.file.path | string | File’s path | |
signal.target.parent.interpreter.file.path.length | int | Length of ‘signal.target.parent.interpreter.file.path’ string | |
signal.target.parent.interpreter.file.rights | int | Mode/rights of the file | Chmod mode constants |
signal.target.parent.interpreter.file.uid | int | UID of the file’s owner | |
signal.target.parent.interpreter.file.user | string | User of the file’s owner | |
signal.target.parent.is_kworker | bool | Indicates whether the process is a kworker | |
signal.target.parent.is_thread | bool | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) | |
signal.target.parent.pid | int | Process ID of the process (also called thread group ID) | |
signal.target.parent.ppid | int | Parent process ID | |
signal.target.parent.tid | int | Thread ID of the thread | |
signal.target.parent.tty_name | string | Name of the TTY associated with the process | |
signal.target.parent.uid | int | UID of the process | |
signal.target.parent.user | string | User of the process | |
signal.target.pid | int | Process ID of the process (also called thread group ID) | |
signal.target.ppid | int | Parent process ID | |
signal.target.tid | int | Thread ID of the thread | |
signal.target.tty_name | string | Name of the TTY associated with the process | |
signal.target.uid | int | UID of the process | |
signal.target.user | string | User of the process | |
signal.type | int | Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc) | Signal constants |
splice
A splice command was executed
Property | Type | Definition | Constants |
---|---|---|---|
splice.file.change_time | int | Change time of the file | |
splice.file.filesystem | string | File’s filesystem | |
splice.file.gid | int | GID of the file’s owner | |
splice.file.group | string | Group of the file’s owner | |
splice.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
splice.file.inode | int | Inode of the file | |
splice.file.mode | int | Mode/rights of the file | Chmod mode constants |
splice.file.modification_time | int | Modification time of the file | |
splice.file.mount_id | int | Mount ID of the file | |
splice.file.name | string | File’s basename | |
splice.file.name.length | int | Length of ‘splice.file.name’ string | |
splice.file.path | string | File’s path | |
splice.file.path.length | int | Length of ‘splice.file.path’ string | |
splice.file.rights | int | Mode/rights of the file | Chmod mode constants |
splice.file.uid | int | UID of the file’s owner | |
splice.file.user | string | User of the file’s owner | |
splice.pipe_entry_flag | int | Entry flag of the “fd_out” pipe passed to the splice syscall | Pipe buffer flags |
splice.pipe_exit_flag | int | Exit flag of the “fd_out” pipe passed to the splice syscall | Pipe buffer flags |
splice.retval | int | Return value of the syscall | Error Constants |
unlink
A file was deleted
Property | Type | Definition | Constants |
---|---|---|---|
unlink.file.change_time | int | Change time of the file | |
unlink.file.filesystem | string | File’s filesystem | |
unlink.file.gid | int | GID of the file’s owner | |
unlink.file.group | string | Group of the file’s owner | |
unlink.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
unlink.file.inode | int | Inode of the file | |
unlink.file.mode | int | Mode/rights of the file | Chmod mode constants |
unlink.file.modification_time | int | Modification time of the file | |
unlink.file.mount_id | int | Mount ID of the file | |
unlink.file.name | string | File’s basename | |
unlink.file.name.length | int | Length of ‘unlink.file.name’ string | |
unlink.file.path | string | File’s path | |
unlink.file.path.length | int | Length of ‘unlink.file.path’ string | |
unlink.file.rights | int | Mode/rights of the file | Chmod mode constants |
unlink.file.uid | int | UID of the file’s owner | |
unlink.file.user | string | User of the file’s owner | |
unlink.flags | int | Unlink flags | |
unlink.retval | int | Return value of the syscall | Error Constants |
unload_module
A kernel module was deleted
Property | Type | Definition | Constants |
---|---|---|---|
unload_module.name | string | Name of the kernel module that was deleted | |
unload_module.retval | int | Return value of the syscall | Error Constants |
utimes
Change file access/modification times
Property | Type | Definition | Constants |
---|---|---|---|
utimes.file.change_time | int | Change time of the file | |
utimes.file.filesystem | string | File’s filesystem | |
utimes.file.gid | int | GID of the file’s owner | |
utimes.file.group | string | Group of the file’s owner | |
utimes.file.in_upper_layer | bool | Indicator of the file layer, for example, in an OverlayFS | |
utimes.file.inode | int | Inode of the file | |
utimes.file.mode | int | Mode/rights of the file | Chmod mode constants |
utimes.file.modification_time | int | Modification time of the file | |
utimes.file.mount_id | int | Mount ID of the file | |
utimes.file.name | string | File’s basename | |
utimes.file.name.length | int | Length of ‘utimes.file.name’ string | |
utimes.file.path | string | File’s path | |
utimes.file.path.length | int | Length of ‘utimes.file.path’ string | |
utimes.file.rights | int | Mode/rights of the file | Chmod mode constants |
utimes.file.uid | int | UID of the file’s owner | |
utimes.file.user | string | User of the file’s owner | |
utimes.retval | int | Return value of the syscall | Error Constants |
Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.
BPF attach types
BPF attach types are the supported eBPF program attach types.
Name | Architectures |
---|---|
BPF_CGROUP_INET_INGRESS | all |
BPF_CGROUP_INET_EGRESS | all |
BPF_CGROUP_INET_SOCK_CREATE | all |
BPF_CGROUP_SOCK_OPS | all |
BPF_SK_SKB_STREAM_PARSER | all |
BPF_SK_SKB_STREAM_VERDICT | all |
BPF_CGROUP_DEVICE | all |
BPF_SK_MSG_VERDICT | all |
BPF_CGROUP_INET4_BIND | all |
BPF_CGROUP_INET6_BIND | all |
BPF_CGROUP_INET4_CONNECT | all |
BPF_CGROUP_INET6_CONNECT | all |
BPF_CGROUP_INET4_POST_BIND | all |
BPF_CGROUP_INET6_POST_BIND | all |
BPF_CGROUP_UDP4_SENDMSG | all |
BPF_CGROUP_UDP6_SENDMSG | all |
BPF_LIRC_MODE2 | all |
BPF_FLOW_DISSECTOR | all |
BPF_CGROUP_SYSCTL | all |
BPF_CGROUP_UDP4_RECVMSG | all |
BPF_CGROUP_UDP6_RECVMSG | all |
BPF_CGROUP_GETSOCKOPT | all |
BPF_CGROUP_SETSOCKOPT | all |
BPF_TRACE_RAW_TP | all |
BPF_TRACE_FENTRY | all |
BPF_TRACE_FEXIT | all |
BPF_MODIFY_RETURN | all |
BPF_LSM_MAC | all |
BPF_TRACE_ITER | all |
BPF_CGROUP_INET4_GETPEERNAME | all |
BPF_CGROUP_INET6_GETPEERNAME | all |
BPF_CGROUP_INET4_GETSOCKNAME | all |
BPF_CGROUP_INET6_GETSOCKNAME | all |
BPF_XDP_DEVMAP | all |
BPF_CGROUP_INET_SOCK_RELEASE | all |
BPF_XDP_CPUMAP | all |
BPF_SK_LOOKUP | all |
BPF_XDP | all |
BPF_SK_SKB_VERDICT | all |
BPF commands
BPF commands are used to specify a command to a bpf syscall.
Name | Architectures |
---|---|
BPF_MAP_CREATE | all |
BPF_MAP_LOOKUP_ELEM | all |
BPF_MAP_UPDATE_ELEM | all |
BPF_MAP_DELETE_ELEM | all |
BPF_MAP_GET_NEXT_KEY | all |
BPF_PROG_LOAD | all |
BPF_OBJ_PIN | all |
BPF_OBJ_GET | all |
BPF_PROG_ATTACH | all |
BPF_PROG_DETACH | all |
BPF_PROG_TEST_RUN | all |
BPF_PROG_RUN | all |
BPF_PROG_GET_NEXT_ID | all |
BPF_MAP_GET_NEXT_ID | all |
BPF_PROG_GET_FD_BY_ID | all |
BPF_MAP_GET_FD_BY_ID | all |
BPF_OBJ_GET_INFO_BY_FD | all |
BPF_PROG_QUERY | all |
BPF_RAW_TRACEPOINT_OPEN | all |
BPF_BTF_LOAD | all |
BPF_BTF_GET_FD_BY_ID | all |
BPF_TASK_FD_QUERY | all |
BPF_MAP_LOOKUP_AND_DELETE_ELEM | all |
BPF_MAP_FREEZE | all |
BPF_BTF_GET_NEXT_ID | all |
BPF_MAP_LOOKUP_BATCH | all |
BPF_MAP_LOOKUP_AND_DELETE_BATCH | all |
BPF_MAP_UPDATE_BATCH | all |
BPF_MAP_DELETE_BATCH | all |
BPF_LINK_CREATE | all |
BPF_LINK_UPDATE | all |
BPF_LINK_GET_FD_BY_ID | all |
BPF_LINK_GET_NEXT_ID | all |
BPF_ENABLE_STATS | all |
BPF_ITER_CREATE | all |
BPF_LINK_DETACH | all |
BPF_PROG_BIND_MAP | all |
BPF helper functions
BPF helper functions are the supported BPF helper functions.
Name | Architectures |
---|---|
BPF_UNSPEC | all |
BPF_MAP_LOOKUP_ELEM | all |
BPF_MAP_UPDATE_ELEM | all |
BPF_MAP_DELETE_ELEM | all |
BPF_PROBE_READ | all |
BPF_KTIME_GET_NS | all |
BPF_TRACE_PRINTK | all |
BPF_GET_PRANDOM_U32 | all |
BPF_GET_SMP_PROCESSOR_ID | all |
BPF_SKB_STORE_BYTES | all |
BPF_L3_CSUM_REPLACE | all |
BPF_L4_CSUM_REPLACE | all |
BPF_TAIL_CALL | all |
BPF_CLONE_REDIRECT | all |
BPF_GET_CURRENT_PID_TGID | all |
BPF_GET_CURRENT_UID_GID | all |
BPF_GET_CURRENT_COMM | all |
BPF_GET_CGROUP_CLASSID | all |
BPF_SKB_VLAN_PUSH | all |
BPF_SKB_VLAN_POP | all |
BPF_SKB_GET_TUNNEL_KEY | all |
BPF_SKB_SET_TUNNEL_KEY | all |
BPF_PERF_EVENT_READ | all |
BPF_REDIRECT | all |
BPF_GET_ROUTE_REALM | all |
BPF_PERF_EVENT_OUTPUT | all |
BPF_SKB_LOAD_BYTES | all |
BPF_GET_STACKID | all |
BPF_CSUM_DIFF | all |
BPF_SKB_GET_TUNNEL_OPT | all |
BPF_SKB_SET_TUNNEL_OPT | all |
BPF_SKB_CHANGE_PROTO | all |
BPF_SKB_CHANGE_TYPE | all |
BPF_SKB_UNDER_CGROUP | all |
BPF_GET_HASH_RECALC | all |
BPF_GET_CURRENT_TASK | all |
BPF_PROBE_WRITE_USER | all |
BPF_CURRENT_TASK_UNDER_CGROUP | all |
BPF_SKB_CHANGE_TAIL | all |
BPF_SKB_PULL_DATA | all |
BPF_CSUM_UPDATE | all |
BPF_SET_HASH_INVALID | all |
BPF_GET_NUMA_NODE_ID | all |
BPF_SKB_CHANGE_HEAD | all |
BPF_XDP_ADJUST_HEAD | all |
BPF_PROBE_READ_STR | all |
BPF_GET_SOCKET_COOKIE | all |
BPF_GET_SOCKET_UID | all |
BPF_SET_HASH | all |
BPF_SETSOCKOPT | all |
BPF_SKB_ADJUST_ROOM | all |
BPF_REDIRECT_MAP | all |
BPF_SK_REDIRECT_MAP | all |
BPF_SOCK_MAP_UPDATE | all |
BPF_XDP_ADJUST_META | all |
BPF_PERF_EVENT_READ_VALUE | all |
BPF_PERF_PROG_READ_VALUE | all |
BPF_GETSOCKOPT | all |
BPF_OVERRIDE_RETURN | all |
BPF_SOCK_OPS_CB_FLAGS_SET | all |
BPF_MSG_REDIRECT_MAP | all |
BPF_MSG_APPLY_BYTES | all |
BPF_MSG_CORK_BYTES | all |
BPF_MSG_PULL_DATA | all |
BPF_BIND | all |
BPF_XDP_ADJUST_TAIL | all |
BPF_SKB_GET_XFRM_STATE | all |
BPF_GET_STACK | all |
BPF_SKB_LOAD_BYTES_RELATIVE | all |
BPF_FIB_LOOKUP | all |
BPF_SOCK_HASH_UPDATE | all |
BPF_MSG_REDIRECT_HASH | all |
BPF_SK_REDIRECT_HASH | all |
BPF_LWT_PUSH_ENCAP | all |
BPF_LWT_SEG6_STORE_BYTES | all |
BPF_LWT_SEG6_ADJUST_SRH | all |
BPF_LWT_SEG6_ACTION | all |
BPF_RC_REPEAT | all |
BPF_RC_KEYDOWN | all |
BPF_SKB_CGROUP_ID | all |
BPF_GET_CURRENT_CGROUP_ID | all |
BPF_GET_LOCAL_STORAGE | all |
BPF_SK_SELECT_REUSEPORT | all |
BPF_SKB_ANCESTOR_CGROUP_ID | all |
BPF_SK_LOOKUP_TCP | all |
BPF_SK_LOOKUP_UDP | all |
BPF_SK_RELEASE | all |
BPF_MAP_PUSH_ELEM | all |
BPF_MAP_POP_ELEM | all |
BPF_MAP_PEEK_ELEM | all |
BPF_MSG_PUSH_DATA | all |
BPF_MSG_POP_DATA | all |
BPF_RC_POINTER_REL | all |
BPF_SPIN_LOCK | all |
BPF_SPIN_UNLOCK | all |
BPF_SK_FULLSOCK | all |
BPF_TCP_SOCK | all |
BPF_SKB_ECN_SET_CE | all |
BPF_GET_LISTENER_SOCK | all |
BPF_SKC_LOOKUP_TCP | all |
BPF_TCP_CHECK_SYNCOOKIE | all |
BPF_SYSCTL_GET_NAME | all |
BPF_SYSCTL_GET_CURRENT_VALUE | all |
BPF_SYSCTL_GET_NEW_VALUE | all |
BPF_SYSCTL_SET_NEW_VALUE | all |
BPF_STRTOL | all |
BPF_STRTOUL | all |
BPF_SK_STORAGE_GET | all |
BPF_SK_STORAGE_DELETE | all |
BPF_SEND_SIGNAL | all |
BPF_TCP_GEN_SYNCOOKIE | all |
BPF_SKB_OUTPUT | all |
BPF_PROBE_READ_USER | all |
BPF_PROBE_READ_KERNEL | all |
BPF_PROBE_READ_USER_STR | all |
BPF_PROBE_READ_KERNEL_STR | all |
BPF_TCP_SEND_ACK | all |
BPF_SEND_SIGNAL_THREAD | all |
BPF_JIFFIES64 | all |
BPF_READ_BRANCH_RECORDS | all |
BPF_GET_NS_CURRENT_PID_TGID | all |
BPF_XDP_OUTPUT | all |
BPF_GET_NETNS_COOKIE | all |
BPF_GET_CURRENT_ANCESTOR_CGROUP_ID | all |
BPF_SK_ASSIGN | all |
BPF_KTIME_GET_BOOT_NS | all |
BPF_SEQ_PRINTF | all |
BPF_SEQ_WRITE | all |
BPF_SK_CGROUP_ID | all |
BPF_SK_ANCESTOR_CGROUP_ID | all |
BPF_RINGBUF_OUTPUT | all |
BPF_RINGBUF_RESERVE | all |
BPF_RINGBUF_SUBMIT | all |
BPF_RINGBUF_DISCARD | all |
BPF_RINGBUF_QUERY | all |
BPF_CSUM_LEVEL | all |
BPF_SKC_TO_TCP6_SOCK | all |
BPF_SKC_TO_TCP_SOCK | all |
BPF_SKC_TO_TCP_TIMEWAIT_SOCK | all |
BPF_SKC_TO_TCP_REQUEST_SOCK | all |
BPF_SKC_TO_UDP6_SOCK | all |
BPF_GET_TASK_STACK | all |
BPF_LOAD_HDR_OPT | all |
BPF_STORE_HDR_OPT | all |
BPF_RESERVE_HDR_OPT | all |
BPF_INODE_STORAGE_GET | all |
BPF_INODE_STORAGE_DELETE | all |
BPF_D_PATH | all |
BPF_COPY_FROM_USER | all |
BPF_SNPRINTF_BTF | all |
BPF_SEQ_PRINTF_BTF | all |
BPF_SKB_CGROUP_CLASSID | all |
BPF_REDIRECT_NEIGH | all |
BPF_PER_CPU_PTR | all |
BPF_THIS_CPU_PTR | all |
BPF_REDIRECT_PEER | all |
BPF_TASK_STORAGE_GET | all |
BPF_TASK_STORAGE_DELETE | all |
BPF_GET_CURRENT_TASK_BTF | all |
BPF_BPRM_OPTS_SET | all |
BPF_KTIME_GET_COARSE_NS | all |
BPF_IMA_INODE_HASH | all |
BPF_SOCK_FROM_FILE | all |
BPF_CHECK_MTU | all |
BPF_FOR_EACH_MAP_ELEM | all |
BPF_SNPRINTF | all |
BPF map types
BPF map types are the supported eBPF map types.
Name | Architectures |
---|---|
BPF_MAP_TYPE_UNSPEC | all |
BPF_MAP_TYPE_HASH | all |
BPF_MAP_TYPE_ARRAY | all |
BPF_MAP_TYPE_PROG_ARRAY | all |
BPF_MAP_TYPE_PERF_EVENT_ARRAY | all |
BPF_MAP_TYPE_PERCPU_HASH | all |
BPF_MAP_TYPE_PERCPU_ARRAY | all |
BPF_MAP_TYPE_STACK_TRACE | all |
BPF_MAP_TYPE_CGROUP_ARRAY | all |
BPF_MAP_TYPE_LRU_HASH | all |
BPF_MAP_TYPE_LRU_PERCPU_HASH | all |
BPF_MAP_TYPE_LPM_TRIE | all |
BPF_MAP_TYPE_ARRAY_OF_MAPS | all |
BPF_MAP_TYPE_HASH_OF_MAPS | all |
BPF_MAP_TYPE_DEVMAP | all |
BPF_MAP_TYPE_SOCKMAP | all |
BPF_MAP_TYPE_CPUMAP | all |
BPF_MAP_TYPE_XSKMAP | all |
BPF_MAP_TYPE_SOCKHASH | all |
BPF_MAP_TYPE_CGROUP_STORAGE | all |
BPF_MAP_TYPE_REUSEPORT_SOCKARRAY | all |
BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE | all |
BPF_MAP_TYPE_QUEUE | all |
BPF_MAP_TYPE_STACK | all |
BPF_MAP_TYPE_SK_STORAGE | all |
BPF_MAP_TYPE_DEVMAP_HASH | all |
BPF_MAP_TYPE_STRUCT_OPS | all |
BPF_MAP_TYPE_RINGBUF | all |
BPF_MAP_TYPE_INODE_STORAGE | all |
BPF_MAP_TYPE_TASK_STORAGE | all |
BPF program types
BPF program types are the supported eBPF program types.
Name | Architectures |
---|---|
BPF_PROG_TYPE_UNSPEC | all |
BPF_PROG_TYPE_SOCKET_FILTER | all |
BPF_PROG_TYPE_KPROBE | all |
BPF_PROG_TYPE_SCHED_CLS | all |
BPF_PROG_TYPE_SCHED_ACT | all |
BPF_PROG_TYPE_TRACEPOINT | all |
BPF_PROG_TYPE_XDP | all |
BPF_PROG_TYPE_PERF_EVENT | all |
BPF_PROG_TYPE_CGROUP_SKB | all |
BPF_PROG_TYPE_CGROUP_SOCK | all |
BPF_PROG_TYPE_LWT_IN | all |
BPF_PROG_TYPE_LWT_OUT | all |
BPF_PROG_TYPE_LWT_XMIT | all |
BPF_PROG_TYPE_SOCK_OPS | all |
BPF_PROG_TYPE_SK_SKB | all |
BPF_PROG_TYPE_CGROUP_DEVICE | all |
BPF_PROG_TYPE_SK_MSG | all |
BPF_PROG_TYPE_RAW_TRACEPOINT | all |
BPF_PROG_TYPE_CGROUP_SOCK_ADDR | all |
BPF_PROG_TYPE_LWT_SEG6LOCAL | all |
BPF_PROG_TYPE_LIRC_MODE2 | all |
BPF_PROG_TYPE_SK_REUSEPORT | all |
BPF_PROG_TYPE_FLOW_DISSECTOR | all |
BPF_PROG_TYPE_CGROUP_SYSCTL | all |
BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE | all |
BPF_PROG_TYPE_CGROUP_SOCKOPT | all |
BPF_PROG_TYPE_TRACING | all |
BPF_PROG_TYPE_STRUCT_OPS | all |
BPF_PROG_TYPE_EXT | all |
BPF_PROG_TYPE_LSM | all |
BPF_PROG_TYPE_SK_LOOKUP | all |
Chmod mode constants
Chmod mode constants are the supported modes for the chmod syscall.
Name | Architectures |
---|---|
S_IFBLK | all |
S_IFCHR | all |
S_IFDIR | all |
S_IFIFO | all |
S_IFLNK | all |
S_IFMT | all |
S_IFREG | all |
S_IFSOCK | all |
S_IRGRP | all |
S_IROTH | all |
S_IRUSR | all |
S_IRWXG | all |
S_IRWXO | all |
S_IRWXU | all |
S_ISGID | all |
S_ISUID | all |
S_ISVTX | all |
S_IWGRP | all |
S_IWOTH | all |
S_IWUSR | all |
S_IXGRP | all |
S_IXOTH | all |
S_IXUSR | all |
DNS qclasses
DNS qclasses are the supported DNS query classes.
Name | Architectures |
---|---|
CLASS_INET | all |
CLASS_CSNET | all |
CLASS_CHAOS | all |
CLASS_HESIOD | all |
CLASS_NONE | all |
CLASS_ANY | all |
DNS qtypes
DNS qtypes are the supported DNS query types.
Name | Architectures |
---|---|
None | all |
A | all |
NS | all |
MD | all |
MF | all |
CNAME | all |
SOA | all |
MB | all |
MG | all |
MR | all |
NULL | all |
PTR | all |
HINFO | all |
MINFO | all |
MX | all |
TXT | all |
RP | all |
AFSDB | all |
X25 | all |
ISDN | all |
RT | all |
NSAPPTR | all |
SIG | all |
KEY | all |
PX | all |
GPOS | all |
AAAA | all |
LOC | all |
NXT | all |
EID | all |
NIMLOC | all |
SRV | all |
ATMA | all |
NAPTR | all |
KX | all |
CERT | all |
DNAME | all |
OPT | all |
APL | all |
DS | all |
SSHFP | all |
RRSIG | all |
NSEC | all |
DNSKEY | all |
DHCID | all |
NSEC3 | all |
NSEC3PARAM | all |
TLSA | all |
SMIMEA | all |
HIP | all |
NINFO | all |
RKEY | all |
TALINK | all |
CDS | all |
CDNSKEY | all |
OPENPGPKEY | all |
CSYNC | all |
ZONEMD | all |
SVCB | all |
HTTPS | all |
SPF | all |
UINFO | all |
UID | all |
GID | all |
UNSPEC | all |
NID | all |
L32 | all |
L64 | all |
LP | all |
EUI48 | all |
EUI64 | all |
URI | all |
CAA | all |
AVC | all |
TKEY | all |
TSIG | all |
IXFR | all |
AXFR | all |
MAILB | all |
MAILA | all |
ANY | all |
TA | all |
DLV | all |
Reserved | all |
Error Constants
Error Constants are the supported error constants.
Name | Architectures |
---|---|
E2BIG | all |
EACCES | all |
EADDRINUSE | all |
EADDRNOTAVAIL | all |
EADV | all |
EAFNOSUPPORT | all |
EAGAIN | all |
EALREADY | all |
EBADE | all |
EBADF | all |
EBADFD | all |
EBADMSG | all |
EBADR | all |
EBADRQC | all |
EBADSLT | all |
EBFONT | all |
EBUSY | all |
ECANCELED | all |
ECHILD | all |
ECHRNG | all |
ECOMM | all |
ECONNABORTED | all |
ECONNREFUSED | all |
ECONNRESET | all |
EDEADLK | all |
EDEADLOCK | all |
EDESTADDRREQ | all |
EDOM | all |
EDOTDOT | all |
EDQUOT | all |
EEXIST | all |
EFAULT | all |
EFBIG | all |
EHOSTDOWN | all |
EHOSTUNREACH | all |
EIDRM | all |
EILSEQ | all |
EINPROGRESS | all |
EINTR | all |
EINVAL | all |
EIO | all |
EISCONN | all |
EISDIR | all |
EISNAM | all |
EKEYEXPIRED | all |
EKEYREJECTED | all |
EKEYREVOKED | all |
EL2HLT | all |
EL2NSYNC | all |
EL3HLT | all |
EL3RST | all |
ELIBACC | all |
ELIBBAD | all |
ELIBEXEC | all |
ELIBMAX | all |
ELIBSCN | all |
ELNRNG | all |
ELOOP | all |
EMEDIUMTYPE | all |
EMFILE | all |
EMLINK | all |
EMSGSIZE | all |
EMULTIHOP | all |
ENAMETOOLONG | all |
ENAVAIL | all |
ENETDOWN | all |
ENETRESET | all |
ENETUNREACH | all |
ENFILE | all |
ENOANO | all |
ENOBUFS | all |
ENOCSI | all |
ENODATA | all |
ENODEV | all |
ENOENT | all |
ENOEXEC | all |
ENOKEY | all |
ENOLCK | all |
ENOLINK | all |
ENOMEDIUM | all |
ENOMEM | all |
ENOMSG | all |
ENONET | all |
ENOPKG | all |
ENOPROTOOPT | all |
ENOSPC | all |
ENOSR | all |
ENOSTR | all |
ENOSYS | all |
ENOTBLK | all |
ENOTCONN | all |
ENOTDIR | all |
ENOTEMPTY | all |
ENOTNAM | all |
ENOTRECOVERABLE | all |
ENOTSOCK | all |
ENOTSUP | all |
ENOTTY | all |
ENOTUNIQ | all |
ENXIO | all |
EOPNOTSUPP | all |
EOVERFLOW | all |
EOWNERDEAD | all |
EPERM | all |
EPFNOSUPPORT | all |
EPIPE | all |
EPROTO | all |
EPROTONOSUPPORT | all |
EPROTOTYPE | all |
ERANGE | all |
EREMCHG | all |
EREMOTE | all |
EREMOTEIO | all |
ERESTART | all |
ERFKILL | all |
EROFS | all |
ESHUTDOWN | all |
ESOCKTNOSUPPORT | all |
ESPIPE | all |
ESRCH | all |
ESRMNT | all |
ESTALE | all |
ESTRPIPE | all |
ETIME | all |
ETIMEDOUT | all |
ETOOMANYREFS | all |
ETXTBSY | all |
EUCLEAN | all |
EUNATCH | all |
EUSERS | all |
EWOULDBLOCK | all |
EXDEV | all |
EXFULL | all |
Kernel Capability constants
Kernel Capability constants are the supported Linux Kernel Capability.
Name | Architectures |
---|---|
CAP_AUDIT_CONTROL | all |
CAP_AUDIT_READ | all |
CAP_AUDIT_WRITE | all |
CAP_BLOCK_SUSPEND | all |
CAP_BPF | all |
CAP_CHECKPOINT_RESTORE | all |
CAP_CHOWN | all |
CAP_DAC_OVERRIDE | all |
CAP_DAC_READ_SEARCH | all |
CAP_FOWNER | all |
CAP_FSETID | all |
CAP_IPC_LOCK | all |
CAP_IPC_OWNER | all |
CAP_KILL | all |
CAP_LAST_CAP | all |
CAP_LEASE | all |
CAP_LINUX_IMMUTABLE | all |
CAP_MAC_ADMIN | all |
CAP_MAC_OVERRIDE | all |
CAP_MKNOD | all |
CAP_NET_ADMIN | all |
CAP_NET_BIND_SERVICE | all |
CAP_NET_BROADCAST | all |
CAP_NET_RAW | all |
CAP_PERFMON | all |
CAP_SETFCAP | all |
CAP_SETGID | all |
CAP_SETPCAP | all |
CAP_SETUID | all |
CAP_SYSLOG | all |
CAP_SYS_ADMIN | all |
CAP_SYS_BOOT | all |
CAP_SYS_CHROOT | all |
CAP_SYS_MODULE | all |
CAP_SYS_NICE | all |
CAP_SYS_PACCT | all |
CAP_SYS_PTRACE | all |
CAP_SYS_RAWIO | all |
CAP_SYS_RESOURCE | all |
CAP_SYS_TIME | all |
CAP_SYS_TTY_CONFIG | all |
CAP_WAKE_ALARM | all |
L3 protocols
L3 protocols are the supported Layer 3 protocols.
Name | Architectures |
---|---|
ETH_P_LOOP | all |
ETH_P_PUP | all |
ETH_P_PUPAT | all |
ETH_P_TSN | all |
ETH_P_IP | all |
ETH_P_X25 | all |
ETH_P_ARP | all |
ETH_P_BPQ | all |
ETH_P_IEEEPUP | all |
ETH_P_IEEEPUPAT | all |
ETH_P_BATMAN | all |
ETH_P_DEC | all |
ETH_P_DNADL | all |
ETH_P_DNARC | all |
ETH_P_DNART | all |
ETH_P_LAT | all |
ETH_P_DIAG | all |
ETH_P_CUST | all |
ETH_P_SCA | all |
ETH_P_TEB | all |
ETH_P_RARP | all |
ETH_P_ATALK | all |
ETH_P_AARP | all |
ETH_P_8021_Q | all |
ETH_P_ERSPAN | all |
ETH_P_IPX | all |
ETH_P_IPV6 | all |
ETH_P_PAUSE | all |
ETH_P_SLOW | all |
ETH_P_WCCP | all |
ETH_P_MPLSUC | all |
ETH_P_MPLSMC | all |
ETH_P_ATMMPOA | all |
ETH_P_PPPDISC | all |
ETH_P_PPPSES | all |
ETH_P__LINK_CTL | all |
ETH_P_ATMFATE | all |
ETH_P_PAE | all |
ETH_P_AOE | all |
ETH_P_8021_AD | all |
ETH_P_802_EX1 | all |
ETH_P_TIPC | all |
ETH_P_MACSEC | all |
ETH_P_8021_AH | all |
ETH_P_MVRP | all |
ETH_P_1588 | all |
ETH_P_NCSI | all |
ETH_P_PRP | all |
ETH_P_FCOE | all |
ETH_P_IBOE | all |
ETH_P_TDLS | all |
ETH_P_FIP | all |
ETH_P_80221 | all |
ETH_P_HSR | all |
ETH_P_NSH | all |
ETH_P_LOOPBACK | all |
ETH_P_QINQ1 | all |
ETH_P_QINQ2 | all |
ETH_P_QINQ3 | all |
ETH_P_EDSA | all |
ETH_P_IFE | all |
ETH_P_AFIUCV | all |
ETH_P_8023_MIN | all |
ETH_P_IPV6_HOP_BY_HOP | all |
ETH_P_8023 | all |
ETH_P_AX25 | all |
ETH_P_ALL | all |
ETH_P_8022 | all |
ETH_P_SNAP | all |
ETH_P_DDCMP | all |
ETH_P_WANPPP | all |
ETH_P_PPPMP | all |
ETH_P_LOCALTALK | all |
ETH_P_CAN | all |
ETH_P_CANFD | all |
ETH_P_PPPTALK | all |
ETH_P_TR8022 | all |
ETH_P_MOBITEX | all |
ETH_P_CONTROL | all |
ETH_P_IRDA | all |
ETH_P_ECONET | all |
ETH_P_HDLC | all |
ETH_P_ARCNET | all |
ETH_P_DSA | all |
ETH_P_TRAILER | all |
ETH_P_PHONET | all |
ETH_P_IEEE802154 | all |
ETH_P_CAIF | all |
ETH_P_XDSA | all |
ETH_P_MAP | all |
L4 protocols
L4 protocols are the supported Layer 4 protocols.
Name | Architectures |
---|---|
IP_PROTO_IP | all |
IP_PROTO_ICMP | all |
IP_PROTO_IGMP | all |
IP_PROTO_IPIP | all |
IP_PROTO_TCP | all |
IP_PROTO_EGP | all |
IP_PROTO_IGP | all |
IP_PROTO_PUP | all |
IP_PROTO_UDP | all |
IP_PROTO_IDP | all |
IP_PROTO_TP | all |
IP_PROTO_DCCP | all |
IP_PROTO_IPV6 | all |
IP_PROTO_RSVP | all |
IP_PROTO_GRE | all |
IP_PROTO_ESP | all |
IP_PROTO_AH | all |
IP_PROTO_ICMPV6 | all |
IP_PROTO_MTP | all |
IP_PROTO_BEETPH | all |
IP_PROTO_ENCAP | all |
IP_PROTO_PIM | all |
IP_PROTO_COMP | all |
IP_PROTO_SCTP | all |
IP_PROTO_UDPLITE | all |
IP_PROTO_MPLS | all |
IP_PROTO_RAW | all |
MMap flags
MMap flags are the supported flags for the mmap syscall.
Name | Architectures |
---|---|
MAP_SHARED | all |
MAP_PRIVATE | all |
MAP_SHARED_VALIDATE | all |
MAP_ANON | all |
MAP_ANONYMOUS | all |
MAP_DENYWRITE | all |
MAP_EXECUTABLE | all |
MAP_FIXED | all |
MAP_FIXED_NOREPLACE | all |
MAP_GROWSDOWN | all |
MAP_HUGETLB | all |
MAP_LOCKED | all |
MAP_NONBLOCK | all |
MAP_NORESERVE | all |
MAP_POPULATE | all |
MAP_STACK | all |
MAP_SYNC | all |
MAP_UNINITIALIZED | all |
MAP_HUGE_16KB | all |
MAP_HUGE_64KB | all |
MAP_HUGE_512KB | all |
MAP_HUGE_1MB | all |
MAP_HUGE_2MB | all |
MAP_HUGE_8MB | all |
MAP_HUGE_16MB | all |
MAP_HUGE_32MB | all |
MAP_HUGE_256MB | all |
MAP_HUGE_512MB | all |
MAP_HUGE_1GB | all |
MAP_HUGE_2GB | all |
MAP_HUGE_16GB | all |
MAP_32BIT | amd64 |
Network Address Family constants
Network Address Family constants are the supported network address families.
Name | Architectures |
---|---|
AF_UNSPEC | all |
AF_LOCAL | all |
AF_UNIX | all |
AF_FILE | all |
AF_INET | all |
AF_AX25 | all |
AF_IPX | all |
AF_APPLETALK | all |
AF_NETROM | all |
AF_BRIDGE | all |
AF_ATMPVC | all |
AF_X25 | all |
AF_INET6 | all |
AF_ROSE | all |
AF_DECnet | all |
AF_NETBEUI | all |
AF_SECURITY | all |
AF_KEY | all |
AF_NETLINK | all |
AF_ROUTE | all |
AF_PACKET | all |
AF_ASH | all |
AF_ECONET | all |
AF_ATMSVC | all |
AF_RDS | all |
AF_SNA | all |
AF_IRDA | all |
AF_PPPOX | all |
AF_WANPIPE | all |
AF_LLC | all |
AF_IB | all |
AF_MPLS | all |
AF_CAN | all |
AF_TIPC | all |
AF_BLUETOOTH | all |
AF_IUCV | all |
AF_RXRPC | all |
AF_ISDN | all |
AF_PHONET | all |
AF_IEEE802154 | all |
AF_CAIF | all |
AF_ALG | all |
AF_NFC | all |
AF_VSOCK | all |
AF_KCM | all |
AF_QIPCRTR | all |
AF_SMC | all |
AF_XDP | all |
AF_MAX | all |
Open flags
Open flags are the supported flags for the open syscall.
Name | Architectures |
---|---|
O_RDONLY | all |
O_WRONLY | all |
O_RDWR | all |
O_APPEND | all |
O_CREAT | all |
O_EXCL | all |
O_SYNC | all |
O_TRUNC | all |
O_ACCMODE | all |
O_ASYNC | all |
O_CLOEXEC | all |
O_DIRECT | all |
O_DIRECTORY | all |
O_DSYNC | all |
O_FSYNC | all |
O_NDELAY | all |
O_NOATIME | all |
O_NOCTTY | all |
O_NOFOLLOW | all |
O_NONBLOCK | all |
O_RSYNC | all |
Pipe buffer flags
Pipe buffer flags are the supported flags for a pipe buffer.
Name | Architectures |
---|---|
PIPE_BUF_FLAG_LRU | all |
PIPE_BUF_FLAG_ATOMIC | all |
PIPE_BUF_FLAG_GIFT | all |
PIPE_BUF_FLAG_PACKET | all |
PIPE_BUF_FLAG_CAN_MERGE | all |
PIPE_BUF_FLAG_WHOLE | all |
PIPE_BUF_FLAG_LOSS | all |
Protection constants
Protection constants are the supported protections for the mmap syscall.
Name | Architectures |
---|---|
PROT_NONE | all |
PROT_READ | all |
PROT_WRITE | all |
PROT_EXEC | all |
PROT_GROWSDOWN | all |
PROT_GROWSUP | all |
Ptrace constants
Ptrace constants are the supported ptrace commands for the ptrace syscall.
Name | Architectures |
---|---|
PTRACE_TRACEME | all |
PTRACE_PEEKTEXT | all |
PTRACE_PEEKDATA | all |
PTRACE_PEEKUSR | all |
PTRACE_POKETEXT | all |
PTRACE_POKEDATA | all |
PTRACE_POKEUSR | all |
PTRACE_CONT | all |
PTRACE_KILL | all |
PTRACE_SINGLESTEP | all |
PTRACE_ATTACH | all |
PTRACE_DETACH | all |
PTRACE_SYSCALL | all |
PTRACE_SETOPTIONS | all |
PTRACE_GETEVENTMSG | all |
PTRACE_GETSIGINFO | all |
PTRACE_SETSIGINFO | all |
PTRACE_GETREGSET | all |
PTRACE_SETREGSET | all |
PTRACE_SEIZE | all |
PTRACE_INTERRUPT | all |
PTRACE_LISTEN | all |
PTRACE_PEEKSIGINFO | all |
PTRACE_GETSIGMASK | all |
PTRACE_SETSIGMASK | all |
PTRACE_SECCOMP_GET_FILTER | all |
PTRACE_SECCOMP_GET_METADATA | all |
PTRACE_GET_SYSCALL_INFO | all |
PTRACE_GETFPREGS | amd64, arm |
PTRACE_SETFPREGS | amd64, arm |
PTRACE_GETFPXREGS | amd64 |
PTRACE_SETFPXREGS | amd64 |
PTRACE_OLDSETOPTIONS | amd64, arm |
PTRACE_GET_THREAD_AREA | amd64, arm |
PTRACE_SET_THREAD_AREA | amd64 |
PTRACE_ARCH_PRCTL | amd64 |
PTRACE_SYSEMU | amd64, arm64 |
PTRACE_SYSEMU_SINGLESTEP | amd64, arm64 |
PTRACE_SINGLEBLOCK | amd64 |
PTRACE_GETCRUNCHREGS | arm |
PTRACE_GETFDPIC | arm |
PTRACE_GETFDPIC_EXEC | arm |
PTRACE_GETFDPIC_INTERP | arm |
PTRACE_GETHBPREGS | arm |
PTRACE_GETVFPREGS | arm |
PTRACE_GETWMMXREGS | arm |
PTRACE_SETCRUNCHREGS | arm |
PTRACE_SETHBPREGS | arm |
PTRACE_SETVFPREGS | arm |
PTRACE_SETWMMXREGS | arm |
PTRACE_SET_SYSCALL | arm |
PTRACE_PEEKMTETAGS | arm64 |
PTRACE_POKEMTETAGS | arm64 |
SecL constants
SecL constants are the supported generic SecL constants.
Name | Architectures |
---|---|
true | all |
false | all |
Signal constants
Signal constants are the supported signals for the kill syscall.
Name | Architectures |
---|---|
SIGHUP | all |
SIGINT | all |
SIGQUIT | all |
SIGILL | all |
SIGTRAP | all |
SIGABRT | all |
SIGIOT | all |
SIGBUS | all |
SIGFPE | all |
SIGKILL | all |
SIGUSR1 | all |
SIGSEGV | all |
SIGUSR2 | all |
SIGPIPE | all |
SIGALRM | all |
SIGTERM | all |
SIGSTKFLT | all |
SIGCHLD | all |
SIGCONT | all |
SIGSTOP | all |
SIGTSTP | all |
SIGTTIN | all |
SIGTTOU | all |
SIGURG | all |
SIGXCPU | all |
SIGXFSZ | all |
SIGVTALRM | all |
SIGPROF | all |
SIGWINCH | all |
SIGIO | all |
SIGPOLL | all |
SIGPWR | all |
SIGSYS | all |
Unlink flags
Unlink flags are the supported flags for the unlink syscall.
Name | Architectures |
---|---|
AT_REMOVEDIR | all |
Virtual Memory flags
Virtual Memory flags define the protection of a virtual memory segment.
Name | Architectures |
---|---|
VM_NONE | all |
VM_READ | all |
VM_WRITE | all |
VM_EXEC | all |
VM_SHARED | all |
VM_MAYREAD | all |
VM_MAYWRITE | all |
VM_MAYEXEC | all |
VM_MAYSHARE | all |
VM_GROWSDOWN | all |
VM_UFFD_MISSING | all |
VM_PFNMAP | all |
VM_UFFD_WP | all |
VM_LOCKED | all |
VM_IO | all |
VM_SEQ_READ | all |
VM_RAND_READ | all |
VM_DONTCOPY | all |
VM_DONTEXPAND | all |
VM_LOCKONFAULT | all |
VM_ACCOUNT | all |
VM_NORESERVE | all |
VM_HUGETLB | all |
VM_SYNC | all |
VM_ARCH_1 | all |
VM_WIPEONFORK | all |
VM_DONTDUMP | all |
VM_SOFTDIRTY | all |
VM_MIXEDMAP | all |
VM_HUGEPAGE | all |
VM_NOHUGEPAGE | all |
VM_MERGEABLE | all |
お役に立つドキュメント、リンクや記事: