- はじめに
- エージェント
- インテグレーション
- Watchdog
- イベント
- ダッシュボード
- モバイルアプリケーション
- インフラストラクチャー
- サーバーレス
- メトリクス
- ノートブック
- アラート設定
- APM & Continuous Profiler
- CI Visibility
- RUM & セッションリプレイ
- データベース モニタリング
- ログ管理
- セキュリティプラットフォーム
- Synthetic モニタリング
- ネットワークモニタリング
- 開発者
- API
- アカウントの管理
- データセキュリティ
- ヘルプ
Cloud Workload Security (CWS) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CWS rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:
<event-type>.<event-attribute> <operator> <value> <event-attribute> ...
Using this format, an example rule looks like this:
open.file.path == "/etc/shadow" && file.path not in ["/usr/sbin/vipw"]
Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:
SECL Event | Type | Definition | Agent Version |
---|---|---|---|
bind | Network | [Experimental] A bind was executed | 7.37 |
bpf | Kernel | A BPF command was executed | 7.33 |
capset | Process | A process changed its capacity set | 7.27 |
chmod | File | A file’s permissions were changed | 7.27 |
chown | File | A file’s owner was changed | 7.27 |
dns | Network | A DNS request was sent | 7.36 |
exec | Process | A process was executed or forked | 7.27 |
link | File | Create a new name/alias for a file | 7.27 |
load_module | Kernel | A new kernel module was loaded | 7.35 |
mkdir | File | A directory was created | 7.27 |
mmap | Kernel | A mmap command was executed | 7.35 |
mprotect | Kernel | A mprotect command was executed | 7.35 |
open | File | A file was opened | 7.27 |
ptrace | Kernel | A ptrace command was executed | 7.35 |
removexattr | File | Remove extended attributes | 7.27 |
rename | File | A file/directory was renamed | 7.27 |
rmdir | File | A directory was removed | 7.27 |
selinux | Kernel | An SELinux operation was run | 7.30 |
setgid | Process | A process changed its effective gid | 7.27 |
setuid | Process | A process changed its effective uid | 7.27 |
setxattr | File | Set exteneded attributes | 7.27 |
signal | Process | A signal was sent | 7.35 |
splice | File | A splice command was executed | 7.36 |
unlink | File | A file was deleted | 7.27 |
unload_module | Kernel | A kernel module was deleted | 7.35 |
utimes | File | Change file access/modification times | 7.27 |
SECL operators are used to combine event attributes together into a full expression. The following operators are available:
SECL Operator | Types | Definition | Agent Version |
---|---|---|---|
== | Process | Equal | 7.27 |
!= | File | Not equal | 7.27 |
> | File | Greater | 7.27 |
>= | File | Greater or equal | 7.27 |
< | File | Lesser | 7.27 |
<= | File | Lesser or equal | 7.27 |
! | File | Not | 7.27 |
^ | File | Binary not | 7.27 |
in [elem1, ...] | File | Element is contained in list | 7.27 |
not in [elem1, ...] | File | Element is not contained in list | 7.27 |
=~ | File | String matching | 7.27 |
!~ | File | String not matching | 7.27 |
& | File | Binary and | 7.27 |
| | File | Binary or | 7.27 |
&& | File | Logical and | 7.27 |
|| | File | Logical or | 7.27 |
in CIDR | Network | Element is in the IP range | 7.37 |
not in CIDR | Network | Element is not in the IP range | 7.37 |
allin CIDR | Network | All the elements are in the IP range | 7.37 |
in [CIDR1, ...] | Network | Element is in the IP ranges | 7.37 |
not in [CIDR1, ...] | Network | Element is not in the IP ranges | 7.37 |
allin [CIDR1, ...] | Network | All the elements are in the IP ranges | 7.37 |
Patterns or regular expressions can be used in SECL expressions. They can be used with the in
, not in
, =~
, and !~
operators.
Format | Example | Supported Fields | Agent Version |
---|---|---|---|
~"pattern" | ~"httpd.*" | All | 7.27 |
r"regexp" | r"rc[0-9]+" | All except .path | 7.27 |
Patterns on .path
fields will be used as Glob. *
will match files and folders at the same level. **
, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.
You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created. Such a rule could be written as follows:
open.file.path == "/etc/secret" && process.file.name == "java" && process.created_at > 5s
Durations are numbers with a unit suffix. The supported suffixes are “s”, “m”, “h”.
SECL variables are predefined variables that can be used as values or as part of values.
For example, rule using a process.pid
variable looks like this:
open.file.path == "/proc/${process.pid}/maps"
List of the available variables:
SECL Variable | Definition | Agent Version |
---|---|---|
process.pid | Process PID | 7.33 |
CIDR and IP matching is possible in SECL. One can use operators such as in
, not in
, or allin
combined with CIDR or IP notations.
Such rules can be written as follows:
dns.question.name == "example.com" && network.destination.ip in ["192.168.1.25", "10.0.0.0/24"]
Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.
The args_flags and args_options are helpers to ease the writing of CWS rules based on command line arguments.
args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.
Examples:
version
is part of args_flags for the command cat --version
l
and n
both are in args_flags for the command netstat -ln
args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.
Examples:
T=8
and width=8
both are in args_options for the command ls -T 8 --width=8
exec.args_options ~= [ “s=.*\’” ]
can be used to detect sudoedit
was launched with -s
argument and a command that ends with a \
The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod
commands.
Property | Type | Definition |
---|---|---|
container.id | string | ID of the container |
container.tags | string | Tags of the container |
network.destination.ip | IP/CIDR | IP address |
network.destination.port | int | Port number |
network.device.ifindex | int | interface ifindex |
network.device.ifname | string | interface ifname |
network.l3_protocol | int | l3 protocol of the network packet |
network.l4_protocol | int | l4 protocol of the network packet |
network.size | int | size in bytes of the network packet |
network.source.ip | IP/CIDR | IP address |
network.source.port | int | Port number |
process.ancestors.args | string | Arguments of the process (as a string) |
process.ancestors.args_flags | string | Arguments of the process (as an array) |
process.ancestors.args_options | string | Arguments of the process (as an array) |
process.ancestors.args_truncated | bool | Indicator of arguments truncation |
process.ancestors.argv | string | Arguments of the process (as an array) |
process.ancestors.argv0 | string | First argument of the process |
process.ancestors.cap_effective | int | Effective capability set of the process |
process.ancestors.cap_permitted | int | Permitted capability set of the process |
process.ancestors.comm | string | Comm attribute of the process |
process.ancestors.container.id | string | Container ID |
process.ancestors.cookie | int | Cookie of the process |
process.ancestors.created_at | int | Timestamp of the creation of the process |
process.ancestors.egid | int | Effective GID of the process |
process.ancestors.egroup | string | Effective group of the process |
process.ancestors.envp | string | Environment variables of the process |
process.ancestors.envs | string | Environment variable names of the process |
process.ancestors.envs_truncated | bool | Indicator of environment variables truncation |
process.ancestors.euid | int | Effective UID of the process |
process.ancestors.euser | string | Effective user of the process |
process.ancestors.file.change_time | int | Change time of the file |
process.ancestors.file.filesystem | string | File’s filesystem |
process.ancestors.file.gid | int | GID of the file’s owner |
process.ancestors.file.group | string | Group of the file’s owner |
process.ancestors.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
process.ancestors.file.inode | int | Inode of the file |
process.ancestors.file.mode | int | Mode/rights of the file |
process.ancestors.file.modification_time | int | Modification time of the file |
process.ancestors.file.mount_id | int | Mount ID of the file |
process.ancestors.file.name | string | File’s basename |
process.ancestors.file.path | string | File’s path |
process.ancestors.file.rights | int | Mode/rights of the file |
process.ancestors.file.uid | int | UID of the file’s owner |
process.ancestors.file.user | string | User of the file’s owner |
process.ancestors.fsgid | int | FileSystem-gid of the process |
process.ancestors.fsgroup | string | FileSystem-group of the process |
process.ancestors.fsuid | int | FileSystem-uid of the process |
process.ancestors.fsuser | string | FileSystem-user of the process |
process.ancestors.gid | int | GID of the process |
process.ancestors.group | string | Group of the process |
process.ancestors.pid | int | Process ID of the process (also called thread group ID) |
process.ancestors.ppid | int | Parent process ID |
process.ancestors.tid | int | Thread ID of the thread |
process.ancestors.tty_name | string | Name of the TTY associated with the process |
process.ancestors.uid | int | UID of the process |
process.ancestors.user | string | User of the process |
process.args | string | Arguments of the process (as a string) |
process.args_flags | string | Arguments of the process (as an array) |
process.args_options | string | Arguments of the process (as an array) |
process.args_truncated | bool | Indicator of arguments truncation |
process.argv | string | Arguments of the process (as an array) |
process.argv0 | string | First argument of the process |
process.cap_effective | int | Effective capability set of the process |
process.cap_permitted | int | Permitted capability set of the process |
process.comm | string | Comm attribute of the process |
process.container.id | string | Container ID |
process.cookie | int | Cookie of the process |
process.created_at | int | Timestamp of the creation of the process |
process.egid | int | Effective GID of the process |
process.egroup | string | Effective group of the process |
process.envp | string | Environment variables of the process |
process.envs | string | Environment variable names of the process |
process.envs_truncated | bool | Indicator of environment variables truncation |
process.euid | int | Effective UID of the process |
process.euser | string | Effective user of the process |
process.file.change_time | int | Change time of the file |
process.file.filesystem | string | File’s filesystem |
process.file.gid | int | GID of the file’s owner |
process.file.group | string | Group of the file’s owner |
process.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
process.file.inode | int | Inode of the file |
process.file.mode | int | Mode/rights of the file |
process.file.modification_time | int | Modification time of the file |
process.file.mount_id | int | Mount ID of the file |
process.file.name | string | File’s basename |
process.file.path | string | File’s path |
process.file.rights | int | Mode/rights of the file |
process.file.uid | int | UID of the file’s owner |
process.file.user | string | User of the file’s owner |
process.fsgid | int | FileSystem-gid of the process |
process.fsgroup | string | FileSystem-group of the process |
process.fsuid | int | FileSystem-uid of the process |
process.fsuser | string | FileSystem-user of the process |
process.gid | int | GID of the process |
process.group | string | Group of the process |
process.pid | int | Process ID of the process (also called thread group ID) |
process.ppid | int | Parent process ID |
process.tid | int | Thread ID of the thread |
process.tty_name | string | Name of the TTY associated with the process |
process.uid | int | UID of the process |
process.user | string | User of the process |
bind
This event type is experimental and may change in the future.
A bind was executed
Property | Type | Definition |
---|---|---|
bind.addr.family | int | Address family |
bind.addr.ip | IP/CIDR | IP address |
bind.addr.port | int | Port number |
bind.async | bool | True if the syscall was asynchronous |
bind.retval | int | Return value of the syscall |
bpf
A BPF command was executed
Property | Type | Definition |
---|---|---|
bpf.async | bool | True if the syscall was asynchronous |
bpf.cmd | int | BPF command name |
bpf.map.name | string | Name of the eBPF map (added in 7.35) |
bpf.map.type | int | Type of the eBPF map |
bpf.prog.attach_type | int | Attach type of the eBPF program |
bpf.prog.helpers | int | eBPF helpers used by the eBPF program (added in 7.35) |
bpf.prog.name | string | Name of the eBPF program (added in 7.35) |
bpf.prog.tag | string | Hash (sha1) of the eBPF program (added in 7.35) |
bpf.prog.type | int | Type of the eBPF program |
bpf.retval | int | Return value of the syscall |
capset
A process changed its capacity set
Property | Type | Definition |
---|---|---|
capset.cap_effective | int | Effective capability set of the process |
capset.cap_permitted | int | Permitted capability set of the process |
chmod
A file’s permissions were changed
Property | Type | Definition |
---|---|---|
chmod.async | bool | True if the syscall was asynchronous |
chmod.file.change_time | int | Change time of the file |
chmod.file.destination.mode | int | New mode/rights of the chmod-ed file |
chmod.file.destination.rights | int | New mode/rights of the chmod-ed file |
chmod.file.filesystem | string | File’s filesystem |
chmod.file.gid | int | GID of the file’s owner |
chmod.file.group | string | Group of the file’s owner |
chmod.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
chmod.file.inode | int | Inode of the file |
chmod.file.mode | int | Mode/rights of the file |
chmod.file.modification_time | int | Modification time of the file |
chmod.file.mount_id | int | Mount ID of the file |
chmod.file.name | string | File’s basename |
chmod.file.path | string | File’s path |
chmod.file.rights | int | Mode/rights of the file |
chmod.file.uid | int | UID of the file’s owner |
chmod.file.user | string | User of the file’s owner |
chmod.retval | int | Return value of the syscall |
chown
A file’s owner was changed
Property | Type | Definition |
---|---|---|
chown.async | bool | True if the syscall was asynchronous |
chown.file.change_time | int | Change time of the file |
chown.file.destination.gid | int | New GID of the chown-ed file’s owner |
chown.file.destination.group | string | New group of the chown-ed file’s owner |
chown.file.destination.uid | int | New UID of the chown-ed file’s owner |
chown.file.destination.user | string | New user of the chown-ed file’s owner |
chown.file.filesystem | string | File’s filesystem |
chown.file.gid | int | GID of the file’s owner |
chown.file.group | string | Group of the file’s owner |
chown.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
chown.file.inode | int | Inode of the file |
chown.file.mode | int | Mode/rights of the file |
chown.file.modification_time | int | Modification time of the file |
chown.file.mount_id | int | Mount ID of the file |
chown.file.name | string | File’s basename |
chown.file.path | string | File’s path |
chown.file.rights | int | Mode/rights of the file |
chown.file.uid | int | UID of the file’s owner |
chown.file.user | string | User of the file’s owner |
chown.retval | int | Return value of the syscall |
dns
A DNS request was sent
Property | Type | Definition |
---|---|---|
dns.question.class | int | the class looked up by the DNS question |
dns.question.count | int | the total count of questions in the DNS request |
dns.question.name | string | the queried domain name |
dns.question.size | int | the total DNS request size in bytes |
dns.question.type | int | a two octet code which specifies the DNS question type |
exec
A process was executed or forked
Property | Type | Definition |
---|---|---|
exec.args | string | Arguments of the process (as a string) |
exec.args_flags | string | Arguments of the process (as an array) |
exec.args_options | string | Arguments of the process (as an array) |
exec.args_truncated | bool | Indicator of arguments truncation |
exec.argv | string | Arguments of the process (as an array) |
exec.argv0 | string | First argument of the process |
exec.cap_effective | int | Effective capability set of the process |
exec.cap_permitted | int | Permitted capability set of the process |
exec.comm | string | Comm attribute of the process |
exec.container.id | string | Container ID |
exec.cookie | int | Cookie of the process |
exec.created_at | int | Timestamp of the creation of the process |
exec.egid | int | Effective GID of the process |
exec.egroup | string | Effective group of the process |
exec.envp | string | Environment variables of the process |
exec.envs | string | Environment variable names of the process |
exec.envs_truncated | bool | Indicator of environment variables truncation |
exec.euid | int | Effective UID of the process |
exec.euser | string | Effective user of the process |
exec.file.change_time | int | Change time of the file |
exec.file.filesystem | string | File’s filesystem |
exec.file.gid | int | GID of the file’s owner |
exec.file.group | string | Group of the file’s owner |
exec.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
exec.file.inode | int | Inode of the file |
exec.file.mode | int | Mode/rights of the file |
exec.file.modification_time | int | Modification time of the file |
exec.file.mount_id | int | Mount ID of the file |
exec.file.name | string | File’s basename |
exec.file.path | string | File’s path |
exec.file.rights | int | Mode/rights of the file |
exec.file.uid | int | UID of the file’s owner |
exec.file.user | string | User of the file’s owner |
exec.fsgid | int | FileSystem-gid of the process |
exec.fsgroup | string | FileSystem-group of the process |
exec.fsuid | int | FileSystem-uid of the process |
exec.fsuser | string | FileSystem-user of the process |
exec.gid | int | GID of the process |
exec.group | string | Group of the process |
exec.pid | int | Process ID of the process (also called thread group ID) |
exec.ppid | int | Parent process ID |
exec.tid | int | Thread ID of the thread |
exec.tty_name | string | Name of the TTY associated with the process |
exec.uid | int | UID of the process |
exec.user | string | User of the process |
link
Create a new name/alias for a file
Property | Type | Definition |
---|---|---|
link.async | bool | True if the syscall was asynchronous |
link.file.change_time | int | Change time of the file |
link.file.destination.change_time | int | Change time of the file |
link.file.destination.filesystem | string | File’s filesystem |
link.file.destination.gid | int | GID of the file’s owner |
link.file.destination.group | string | Group of the file’s owner |
link.file.destination.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
link.file.destination.inode | int | Inode of the file |
link.file.destination.mode | int | Mode/rights of the file |
link.file.destination.modification_time | int | Modification time of the file |
link.file.destination.mount_id | int | Mount ID of the file |
link.file.destination.name | string | File’s basename |
link.file.destination.path | string | File’s path |
link.file.destination.rights | int | Mode/rights of the file |
link.file.destination.uid | int | UID of the file’s owner |
link.file.destination.user | string | User of the file’s owner |
link.file.filesystem | string | File’s filesystem |
link.file.gid | int | GID of the file’s owner |
link.file.group | string | Group of the file’s owner |
link.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
link.file.inode | int | Inode of the file |
link.file.mode | int | Mode/rights of the file |
link.file.modification_time | int | Modification time of the file |
link.file.mount_id | int | Mount ID of the file |
link.file.name | string | File’s basename |
link.file.path | string | File’s path |
link.file.rights | int | Mode/rights of the file |
link.file.uid | int | UID of the file’s owner |
link.file.user | string | User of the file’s owner |
link.retval | int | Return value of the syscall |
load_module
A new kernel module was loaded
Property | Type | Definition |
---|---|---|
load_module.async | bool | True if the syscall was asynchronous |
load_module.file.change_time | int | Change time of the file |
load_module.file.filesystem | string | File’s filesystem |
load_module.file.gid | int | GID of the file’s owner |
load_module.file.group | string | Group of the file’s owner |
load_module.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
load_module.file.inode | int | Inode of the file |
load_module.file.mode | int | Mode/rights of the file |
load_module.file.modification_time | int | Modification time of the file |
load_module.file.mount_id | int | Mount ID of the file |
load_module.file.name | string | File’s basename |
load_module.file.path | string | File’s path |
load_module.file.rights | int | Mode/rights of the file |
load_module.file.uid | int | UID of the file’s owner |
load_module.file.user | string | User of the file’s owner |
load_module.loaded_from_memory | bool | Indicates if the kernel module was loaded from memory |
load_module.name | string | Name of the new kernel module |
load_module.retval | int | Return value of the syscall |
mkdir
A directory was created
Property | Type | Definition |
---|---|---|
mkdir.async | bool | True if the syscall was asynchronous |
mkdir.file.change_time | int | Change time of the file |
mkdir.file.destination.mode | int | Mode/rights of the new directory |
mkdir.file.destination.rights | int | Mode/rights of the new directory |
mkdir.file.filesystem | string | File’s filesystem |
mkdir.file.gid | int | GID of the file’s owner |
mkdir.file.group | string | Group of the file’s owner |
mkdir.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
mkdir.file.inode | int | Inode of the file |
mkdir.file.mode | int | Mode/rights of the file |
mkdir.file.modification_time | int | Modification time of the file |
mkdir.file.mount_id | int | Mount ID of the file |
mkdir.file.name | string | File’s basename |
mkdir.file.path | string | File’s path |
mkdir.file.rights | int | Mode/rights of the file |
mkdir.file.uid | int | UID of the file’s owner |
mkdir.file.user | string | User of the file’s owner |
mkdir.retval | int | Return value of the syscall |
mmap
A mmap command was executed
Property | Type | Definition |
---|---|---|
mmap.async | bool | True if the syscall was asynchronous |
mmap.file.change_time | int | Change time of the file |
mmap.file.filesystem | string | File’s filesystem |
mmap.file.gid | int | GID of the file’s owner |
mmap.file.group | string | Group of the file’s owner |
mmap.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
mmap.file.inode | int | Inode of the file |
mmap.file.mode | int | Mode/rights of the file |
mmap.file.modification_time | int | Modification time of the file |
mmap.file.mount_id | int | Mount ID of the file |
mmap.file.name | string | File’s basename |
mmap.file.path | string | File’s path |
mmap.file.rights | int | Mode/rights of the file |
mmap.file.uid | int | UID of the file’s owner |
mmap.file.user | string | User of the file’s owner |
mmap.flags | int | memory segment flags |
mmap.protection | int | memory segment protection |
mmap.retval | int | Return value of the syscall |
mprotect
A mprotect command was executed
Property | Type | Definition |
---|---|---|
mprotect.async | bool | True if the syscall was asynchronous |
mprotect.req_protection | int | new memory segment protection |
mprotect.retval | int | Return value of the syscall |
mprotect.vm_protection | int | initial memory segment protection |
open
A file was opened
Property | Type | Definition |
---|---|---|
open.async | bool | True if the syscall was asynchronous |
open.file.change_time | int | Change time of the file |
open.file.destination.mode | int | Mode of the created file |
open.file.filesystem | string | File’s filesystem |
open.file.gid | int | GID of the file’s owner |
open.file.group | string | Group of the file’s owner |
open.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
open.file.inode | int | Inode of the file |
open.file.mode | int | Mode/rights of the file |
open.file.modification_time | int | Modification time of the file |
open.file.mount_id | int | Mount ID of the file |
open.file.name | string | File’s basename |
open.file.path | string | File’s path |
open.file.rights | int | Mode/rights of the file |
open.file.uid | int | UID of the file’s owner |
open.file.user | string | User of the file’s owner |
open.flags | int | Flags used when opening the file |
open.retval | int | Return value of the syscall |
ptrace
A ptrace command was executed
Property | Type | Definition |
---|---|---|
ptrace.async | bool | True if the syscall was asynchronous |
ptrace.request | int | ptrace request |
ptrace.retval | int | Return value of the syscall |
ptrace.tracee.ancestors.args | string | Arguments of the process (as a string) |
ptrace.tracee.ancestors.args_flags | string | Arguments of the process (as an array) |
ptrace.tracee.ancestors.args_options | string | Arguments of the process (as an array) |
ptrace.tracee.ancestors.args_truncated | bool | Indicator of arguments truncation |
ptrace.tracee.ancestors.argv | string | Arguments of the process (as an array) |
ptrace.tracee.ancestors.argv0 | string | First argument of the process |
ptrace.tracee.ancestors.cap_effective | int | Effective capability set of the process |
ptrace.tracee.ancestors.cap_permitted | int | Permitted capability set of the process |
ptrace.tracee.ancestors.comm | string | Comm attribute of the process |
ptrace.tracee.ancestors.container.id | string | Container ID |
ptrace.tracee.ancestors.cookie | int | Cookie of the process |
ptrace.tracee.ancestors.created_at | int | Timestamp of the creation of the process |
ptrace.tracee.ancestors.egid | int | Effective GID of the process |
ptrace.tracee.ancestors.egroup | string | Effective group of the process |
ptrace.tracee.ancestors.envp | string | Environment variables of the process |
ptrace.tracee.ancestors.envs | string | Environment variable names of the process |
ptrace.tracee.ancestors.envs_truncated | bool | Indicator of environment variables truncation |
ptrace.tracee.ancestors.euid | int | Effective UID of the process |
ptrace.tracee.ancestors.euser | string | Effective user of the process |
ptrace.tracee.ancestors.file.change_time | int | Change time of the file |
ptrace.tracee.ancestors.file.filesystem | string | File’s filesystem |
ptrace.tracee.ancestors.file.gid | int | GID of the file’s owner |
ptrace.tracee.ancestors.file.group | string | Group of the file’s owner |
ptrace.tracee.ancestors.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
ptrace.tracee.ancestors.file.inode | int | Inode of the file |
ptrace.tracee.ancestors.file.mode | int | Mode/rights of the file |
ptrace.tracee.ancestors.file.modification_time | int | Modification time of the file |
ptrace.tracee.ancestors.file.mount_id | int | Mount ID of the file |
ptrace.tracee.ancestors.file.name | string | File’s basename |
ptrace.tracee.ancestors.file.path | string | File’s path |
ptrace.tracee.ancestors.file.rights | int | Mode/rights of the file |
ptrace.tracee.ancestors.file.uid | int | UID of the file’s owner |
ptrace.tracee.ancestors.file.user | string | User of the file’s owner |
ptrace.tracee.ancestors.fsgid | int | FileSystem-gid of the process |
ptrace.tracee.ancestors.fsgroup | string | FileSystem-group of the process |
ptrace.tracee.ancestors.fsuid | int | FileSystem-uid of the process |
ptrace.tracee.ancestors.fsuser | string | FileSystem-user of the process |
ptrace.tracee.ancestors.gid | int | GID of the process |
ptrace.tracee.ancestors.group | string | Group of the process |
ptrace.tracee.ancestors.pid | int | Process ID of the process (also called thread group ID) |
ptrace.tracee.ancestors.ppid | int | Parent process ID |
ptrace.tracee.ancestors.tid | int | Thread ID of the thread |
ptrace.tracee.ancestors.tty_name | string | Name of the TTY associated with the process |
ptrace.tracee.ancestors.uid | int | UID of the process |
ptrace.tracee.ancestors.user | string | User of the process |
ptrace.tracee.args | string | Arguments of the process (as a string) |
ptrace.tracee.args_flags | string | Arguments of the process (as an array) |
ptrace.tracee.args_options | string | Arguments of the process (as an array) |
ptrace.tracee.args_truncated | bool | Indicator of arguments truncation |
ptrace.tracee.argv | string | Arguments of the process (as an array) |
ptrace.tracee.argv0 | string | First argument of the process |
ptrace.tracee.cap_effective | int | Effective capability set of the process |
ptrace.tracee.cap_permitted | int | Permitted capability set of the process |
ptrace.tracee.comm | string | Comm attribute of the process |
ptrace.tracee.container.id | string | Container ID |
ptrace.tracee.cookie | int | Cookie of the process |
ptrace.tracee.created_at | int | Timestamp of the creation of the process |
ptrace.tracee.egid | int | Effective GID of the process |
ptrace.tracee.egroup | string | Effective group of the process |
ptrace.tracee.envp | string | Environment variables of the process |
ptrace.tracee.envs | string | Environment variable names of the process |
ptrace.tracee.envs_truncated | bool | Indicator of environment variables truncation |
ptrace.tracee.euid | int | Effective UID of the process |
ptrace.tracee.euser | string | Effective user of the process |
ptrace.tracee.file.change_time | int | Change time of the file |
ptrace.tracee.file.filesystem | string | File’s filesystem |
ptrace.tracee.file.gid | int | GID of the file’s owner |
ptrace.tracee.file.group | string | Group of the file’s owner |
ptrace.tracee.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
ptrace.tracee.file.inode | int | Inode of the file |
ptrace.tracee.file.mode | int | Mode/rights of the file |
ptrace.tracee.file.modification_time | int | Modification time of the file |
ptrace.tracee.file.mount_id | int | Mount ID of the file |
ptrace.tracee.file.name | string | File’s basename |
ptrace.tracee.file.path | string | File’s path |
ptrace.tracee.file.rights | int | Mode/rights of the file |
ptrace.tracee.file.uid | int | UID of the file’s owner |
ptrace.tracee.file.user | string | User of the file’s owner |
ptrace.tracee.fsgid | int | FileSystem-gid of the process |
ptrace.tracee.fsgroup | string | FileSystem-group of the process |
ptrace.tracee.fsuid | int | FileSystem-uid of the process |
ptrace.tracee.fsuser | string | FileSystem-user of the process |
ptrace.tracee.gid | int | GID of the process |
ptrace.tracee.group | string | Group of the process |
ptrace.tracee.pid | int | Process ID of the process (also called thread group ID) |
ptrace.tracee.ppid | int | Parent process ID |
ptrace.tracee.tid | int | Thread ID of the thread |
ptrace.tracee.tty_name | string | Name of the TTY associated with the process |
ptrace.tracee.uid | int | UID of the process |
ptrace.tracee.user | string | User of the process |
removexattr
Remove extended attributes
Property | Type | Definition |
---|---|---|
removexattr.async | bool | True if the syscall was asynchronous |
removexattr.file.change_time | int | Change time of the file |
removexattr.file.destination.name | string | Name of the extended attribute |
removexattr.file.destination.namespace | string | Namespace of the extended attribute |
removexattr.file.filesystem | string | File’s filesystem |
removexattr.file.gid | int | GID of the file’s owner |
removexattr.file.group | string | Group of the file’s owner |
removexattr.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
removexattr.file.inode | int | Inode of the file |
removexattr.file.mode | int | Mode/rights of the file |
removexattr.file.modification_time | int | Modification time of the file |
removexattr.file.mount_id | int | Mount ID of the file |
removexattr.file.name | string | File’s basename |
removexattr.file.path | string | File’s path |
removexattr.file.rights | int | Mode/rights of the file |
removexattr.file.uid | int | UID of the file’s owner |
removexattr.file.user | string | User of the file’s owner |
removexattr.retval | int | Return value of the syscall |
rename
A file/directory was renamed
Property | Type | Definition |
---|---|---|
rename.async | bool | True if the syscall was asynchronous |
rename.file.change_time | int | Change time of the file |
rename.file.destination.change_time | int | Change time of the file |
rename.file.destination.filesystem | string | File’s filesystem |
rename.file.destination.gid | int | GID of the file’s owner |
rename.file.destination.group | string | Group of the file’s owner |
rename.file.destination.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
rename.file.destination.inode | int | Inode of the file |
rename.file.destination.mode | int | Mode/rights of the file |
rename.file.destination.modification_time | int | Modification time of the file |
rename.file.destination.mount_id | int | Mount ID of the file |
rename.file.destination.name | string | File’s basename |
rename.file.destination.path | string | File’s path |
rename.file.destination.rights | int | Mode/rights of the file |
rename.file.destination.uid | int | UID of the file’s owner |
rename.file.destination.user | string | User of the file’s owner |
rename.file.filesystem | string | File’s filesystem |
rename.file.gid | int | GID of the file’s owner |
rename.file.group | string | Group of the file’s owner |
rename.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
rename.file.inode | int | Inode of the file |
rename.file.mode | int | Mode/rights of the file |
rename.file.modification_time | int | Modification time of the file |
rename.file.mount_id | int | Mount ID of the file |
rename.file.name | string | File’s basename |
rename.file.path | string | File’s path |
rename.file.rights | int | Mode/rights of the file |
rename.file.uid | int | UID of the file’s owner |
rename.file.user | string | User of the file’s owner |
rename.retval | int | Return value of the syscall |
rmdir
A directory was removed
Property | Type | Definition |
---|---|---|
rmdir.async | bool | True if the syscall was asynchronous |
rmdir.file.change_time | int | Change time of the file |
rmdir.file.filesystem | string | File’s filesystem |
rmdir.file.gid | int | GID of the file’s owner |
rmdir.file.group | string | Group of the file’s owner |
rmdir.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
rmdir.file.inode | int | Inode of the file |
rmdir.file.mode | int | Mode/rights of the file |
rmdir.file.modification_time | int | Modification time of the file |
rmdir.file.mount_id | int | Mount ID of the file |
rmdir.file.name | string | File’s basename |
rmdir.file.path | string | File’s path |
rmdir.file.rights | int | Mode/rights of the file |
rmdir.file.uid | int | UID of the file’s owner |
rmdir.file.user | string | User of the file’s owner |
rmdir.retval | int | Return value of the syscall |
selinux
An SELinux operation was run
Property | Type | Definition |
---|---|---|
selinux.bool.name | string | SELinux boolean name |
selinux.bool.state | string | SELinux boolean new value |
selinux.bool_commit.state | bool | Indicator of a SELinux boolean commit operation |
selinux.enforce.status | string | SELinux enforcement status (one of “enforcing”, “permissive”, “disabled”") |
setgid
A process changed its effective gid
Property | Type | Definition |
---|---|---|
setgid.egid | int | New effective GID of the process |
setgid.egroup | string | New effective group of the process |
setgid.fsgid | int | New FileSystem GID of the process |
setgid.fsgroup | string | New FileSystem group of the process |
setgid.gid | int | New GID of the process |
setgid.group | string | New group of the process |
setuid
A process changed its effective uid
Property | Type | Definition |
---|---|---|
setuid.euid | int | New effective UID of the process |
setuid.euser | string | New effective user of the process |
setuid.fsuid | int | New FileSystem UID of the process |
setuid.fsuser | string | New FileSystem user of the process |
setuid.uid | int | New UID of the process |
setuid.user | string | New user of the process |
setxattr
Set exteneded attributes
Property | Type | Definition |
---|---|---|
setxattr.async | bool | True if the syscall was asynchronous |
setxattr.file.change_time | int | Change time of the file |
setxattr.file.destination.name | string | Name of the extended attribute |
setxattr.file.destination.namespace | string | Namespace of the extended attribute |
setxattr.file.filesystem | string | File’s filesystem |
setxattr.file.gid | int | GID of the file’s owner |
setxattr.file.group | string | Group of the file’s owner |
setxattr.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
setxattr.file.inode | int | Inode of the file |
setxattr.file.mode | int | Mode/rights of the file |
setxattr.file.modification_time | int | Modification time of the file |
setxattr.file.mount_id | int | Mount ID of the file |
setxattr.file.name | string | File’s basename |
setxattr.file.path | string | File’s path |
setxattr.file.rights | int | Mode/rights of the file |
setxattr.file.uid | int | UID of the file’s owner |
setxattr.file.user | string | User of the file’s owner |
setxattr.retval | int | Return value of the syscall |
signal
A signal was sent
Property | Type | Definition |
---|---|---|
signal.async | bool | True if the syscall was asynchronous |
signal.pid | int | Target PID |
signal.retval | int | Return value of the syscall |
signal.target.ancestors.args | string | Arguments of the process (as a string) |
signal.target.ancestors.args_flags | string | Arguments of the process (as an array) |
signal.target.ancestors.args_options | string | Arguments of the process (as an array) |
signal.target.ancestors.args_truncated | bool | Indicator of arguments truncation |
signal.target.ancestors.argv | string | Arguments of the process (as an array) |
signal.target.ancestors.argv0 | string | First argument of the process |
signal.target.ancestors.cap_effective | int | Effective capability set of the process |
signal.target.ancestors.cap_permitted | int | Permitted capability set of the process |
signal.target.ancestors.comm | string | Comm attribute of the process |
signal.target.ancestors.container.id | string | Container ID |
signal.target.ancestors.cookie | int | Cookie of the process |
signal.target.ancestors.created_at | int | Timestamp of the creation of the process |
signal.target.ancestors.egid | int | Effective GID of the process |
signal.target.ancestors.egroup | string | Effective group of the process |
signal.target.ancestors.envp | string | Environment variables of the process |
signal.target.ancestors.envs | string | Environment variable names of the process |
signal.target.ancestors.envs_truncated | bool | Indicator of environment variables truncation |
signal.target.ancestors.euid | int | Effective UID of the process |
signal.target.ancestors.euser | string | Effective user of the process |
signal.target.ancestors.file.change_time | int | Change time of the file |
signal.target.ancestors.file.filesystem | string | File’s filesystem |
signal.target.ancestors.file.gid | int | GID of the file’s owner |
signal.target.ancestors.file.group | string | Group of the file’s owner |
signal.target.ancestors.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
signal.target.ancestors.file.inode | int | Inode of the file |
signal.target.ancestors.file.mode | int | Mode/rights of the file |
signal.target.ancestors.file.modification_time | int | Modification time of the file |
signal.target.ancestors.file.mount_id | int | Mount ID of the file |
signal.target.ancestors.file.name | string | File’s basename |
signal.target.ancestors.file.path | string | File’s path |
signal.target.ancestors.file.rights | int | Mode/rights of the file |
signal.target.ancestors.file.uid | int | UID of the file’s owner |
signal.target.ancestors.file.user | string | User of the file’s owner |
signal.target.ancestors.fsgid | int | FileSystem-gid of the process |
signal.target.ancestors.fsgroup | string | FileSystem-group of the process |
signal.target.ancestors.fsuid | int | FileSystem-uid of the process |
signal.target.ancestors.fsuser | string | FileSystem-user of the process |
signal.target.ancestors.gid | int | GID of the process |
signal.target.ancestors.group | string | Group of the process |
signal.target.ancestors.pid | int | Process ID of the process (also called thread group ID) |
signal.target.ancestors.ppid | int | Parent process ID |
signal.target.ancestors.tid | int | Thread ID of the thread |
signal.target.ancestors.tty_name | string | Name of the TTY associated with the process |
signal.target.ancestors.uid | int | UID of the process |
signal.target.ancestors.user | string | User of the process |
signal.target.args | string | Arguments of the process (as a string) |
signal.target.args_flags | string | Arguments of the process (as an array) |
signal.target.args_options | string | Arguments of the process (as an array) |
signal.target.args_truncated | bool | Indicator of arguments truncation |
signal.target.argv | string | Arguments of the process (as an array) |
signal.target.argv0 | string | First argument of the process |
signal.target.cap_effective | int | Effective capability set of the process |
signal.target.cap_permitted | int | Permitted capability set of the process |
signal.target.comm | string | Comm attribute of the process |
signal.target.container.id | string | Container ID |
signal.target.cookie | int | Cookie of the process |
signal.target.created_at | int | Timestamp of the creation of the process |
signal.target.egid | int | Effective GID of the process |
signal.target.egroup | string | Effective group of the process |
signal.target.envp | string | Environment variables of the process |
signal.target.envs | string | Environment variable names of the process |
signal.target.envs_truncated | bool | Indicator of environment variables truncation |
signal.target.euid | int | Effective UID of the process |
signal.target.euser | string | Effective user of the process |
signal.target.file.change_time | int | Change time of the file |
signal.target.file.filesystem | string | File’s filesystem |
signal.target.file.gid | int | GID of the file’s owner |
signal.target.file.group | string | Group of the file’s owner |
signal.target.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
signal.target.file.inode | int | Inode of the file |
signal.target.file.mode | int | Mode/rights of the file |
signal.target.file.modification_time | int | Modification time of the file |
signal.target.file.mount_id | int | Mount ID of the file |
signal.target.file.name | string | File’s basename |
signal.target.file.path | string | File’s path |
signal.target.file.rights | int | Mode/rights of the file |
signal.target.file.uid | int | UID of the file’s owner |
signal.target.file.user | string | User of the file’s owner |
signal.target.fsgid | int | FileSystem-gid of the process |
signal.target.fsgroup | string | FileSystem-group of the process |
signal.target.fsuid | int | FileSystem-uid of the process |
signal.target.fsuser | string | FileSystem-user of the process |
signal.target.gid | int | GID of the process |
signal.target.group | string | Group of the process |
signal.target.pid | int | Process ID of the process (also called thread group ID) |
signal.target.ppid | int | Parent process ID |
signal.target.tid | int | Thread ID of the thread |
signal.target.tty_name | string | Name of the TTY associated with the process |
signal.target.uid | int | UID of the process |
signal.target.user | string | User of the process |
signal.type | int | Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc) |
splice
A splice command was executed
Property | Type | Definition |
---|---|---|
splice.async | bool | True if the syscall was asynchronous |
splice.file.change_time | int | Change time of the file |
splice.file.filesystem | string | File’s filesystem |
splice.file.gid | int | GID of the file’s owner |
splice.file.group | string | Group of the file’s owner |
splice.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
splice.file.inode | int | Inode of the file |
splice.file.mode | int | Mode/rights of the file |
splice.file.modification_time | int | Modification time of the file |
splice.file.mount_id | int | Mount ID of the file |
splice.file.name | string | File’s basename |
splice.file.path | string | File’s path |
splice.file.rights | int | Mode/rights of the file |
splice.file.uid | int | UID of the file’s owner |
splice.file.user | string | User of the file’s owner |
splice.pipe_entry_flag | int | Entry flag of the “fd_out” pipe passed to the splice syscall |
splice.pipe_exit_flag | int | Exit flag of the “fd_out” pipe passed to the splice syscall |
splice.retval | int | Return value of the syscall |
unlink
A file was deleted
Property | Type | Definition |
---|---|---|
unlink.async | bool | True if the syscall was asynchronous |
unlink.file.change_time | int | Change time of the file |
unlink.file.filesystem | string | File’s filesystem |
unlink.file.gid | int | GID of the file’s owner |
unlink.file.group | string | Group of the file’s owner |
unlink.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
unlink.file.inode | int | Inode of the file |
unlink.file.mode | int | Mode/rights of the file |
unlink.file.modification_time | int | Modification time of the file |
unlink.file.mount_id | int | Mount ID of the file |
unlink.file.name | string | File’s basename |
unlink.file.path | string | File’s path |
unlink.file.rights | int | Mode/rights of the file |
unlink.file.uid | int | UID of the file’s owner |
unlink.file.user | string | User of the file’s owner |
unlink.retval | int | Return value of the syscall |
unload_module
A kernel module was deleted
Property | Type | Definition |
---|---|---|
unload_module.async | bool | True if the syscall was asynchronous |
unload_module.name | string | Name of the kernel module that was deleted |
unload_module.retval | int | Return value of the syscall |
utimes
Change file access/modification times
Property | Type | Definition |
---|---|---|
utimes.async | bool | True if the syscall was asynchronous |
utimes.file.change_time | int | Change time of the file |
utimes.file.filesystem | string | File’s filesystem |
utimes.file.gid | int | GID of the file’s owner |
utimes.file.group | string | Group of the file’s owner |
utimes.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
utimes.file.inode | int | Inode of the file |
utimes.file.mode | int | Mode/rights of the file |
utimes.file.modification_time | int | Modification time of the file |
utimes.file.mount_id | int | Mount ID of the file |
utimes.file.name | string | File’s basename |
utimes.file.path | string | File’s path |
utimes.file.rights | int | Mode/rights of the file |
utimes.file.uid | int | UID of the file’s owner |
utimes.file.user | string | User of the file’s owner |
utimes.retval | int | Return value of the syscall |
お役に立つドキュメント、リンクや記事: