- はじめに
- エージェント
- インテグレーション
- Watchdog
- イベント
- ダッシュボード
- モバイルアプリケーション
- インフラストラクチャー
- サーバーレス
- メトリクス
- ノートブック
- アラート設定
- APM & Continuous Profiler
- CI Visibility
- RUM & セッションリプレイ
- データベース モニタリング
- ログ管理
- セキュリティプラットフォーム
- Synthetic モニタリング
- ネットワークモニタリング
- 開発者
- API
- アカウントの管理
- データセキュリティ
- ヘルプ
Cloud Workload Security (CWS) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CWS rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:
<event-type>.<event-attribute> <operator> <value> <event-attribute> ...Using this format, an example rule looks like this:
open.file.path == "/etc/shadow" && file.path not in ["/usr/sbin/vipw"]Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:
| SECL Event | Type | Definition | Agent Version |
|---|---|---|---|
bind | Network | [Experimental] A bind was executed | 7.37 |
bpf | Kernel | A BPF command was executed | 7.33 |
capset | Process | A process changed its capacity set | 7.27 |
chmod | File | A file’s permissions were changed | 7.27 |
chown | File | A file’s owner was changed | 7.27 |
dns | Network | A DNS request was sent | 7.36 |
exec | Process | A process was executed or forked | 7.27 |
link | File | Create a new name/alias for a file | 7.27 |
load_module | Kernel | A new kernel module was loaded | 7.35 |
mkdir | File | A directory was created | 7.27 |
mmap | Kernel | A mmap command was executed | 7.35 |
mprotect | Kernel | A mprotect command was executed | 7.35 |
open | File | A file was opened | 7.27 |
ptrace | Kernel | A ptrace command was executed | 7.35 |
removexattr | File | Remove extended attributes | 7.27 |
rename | File | A file/directory was renamed | 7.27 |
rmdir | File | A directory was removed | 7.27 |
selinux | Kernel | An SELinux operation was run | 7.30 |
setgid | Process | A process changed its effective gid | 7.27 |
setuid | Process | A process changed its effective uid | 7.27 |
setxattr | File | Set exteneded attributes | 7.27 |
signal | Process | A signal was sent | 7.35 |
splice | File | A splice command was executed | 7.36 |
unlink | File | A file was deleted | 7.27 |
unload_module | Kernel | A kernel module was deleted | 7.35 |
utimes | File | Change file access/modification times | 7.27 |
SECL operators are used to combine event attributes together into a full expression. The following operators are available:
| SECL Operator | Types | Definition | Agent Version |
|---|---|---|---|
== | Process | Equal | 7.27 |
!= | File | Not equal | 7.27 |
> | File | Greater | 7.27 |
>= | File | Greater or equal | 7.27 |
< | File | Lesser | 7.27 |
<= | File | Lesser or equal | 7.27 |
! | File | Not | 7.27 |
^ | File | Binary not | 7.27 |
in [elem1, ...] | File | Element is contained in list | 7.27 |
not in [elem1, ...] | File | Element is not contained in list | 7.27 |
=~ | File | String matching | 7.27 |
!~ | File | String not matching | 7.27 |
& | File | Binary and | 7.27 |
| | File | Binary or | 7.27 |
&& | File | Logical and | 7.27 |
|| | File | Logical or | 7.27 |
in CIDR | Network | Element is in the IP range | 7.37 |
not in CIDR | Network | Element is not in the IP range | 7.37 |
allin CIDR | Network | All the elements are in the IP range | 7.37 |
in [CIDR1, ...] | Network | Element is in the IP ranges | 7.37 |
not in [CIDR1, ...] | Network | Element is not in the IP ranges | 7.37 |
allin [CIDR1, ...] | Network | All the elements are in the IP ranges | 7.37 |
Patterns or regular expressions can be used in SECL expressions. They can be used with the in, not in, =~, and !~ operators.
| Format | Example | Supported Fields | Agent Version |
|---|---|---|---|
~"pattern" | ~"httpd.*" | All | 7.27 |
r"regexp" | r"rc[0-9]+" | All except .path | 7.27 |
Patterns on .path fields will be used as Glob. * will match files and folders at the same level. **, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.
You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created. Such a rule could be written as follows:
open.file.path == "/etc/secret" && process.file.name == "java" && process.created_at > 5sDurations are numbers with a unit suffix. The supported suffixes are “s”, “m”, “h”.
SECL variables are predefined variables that can be used as values or as part of values.
For example, rule using a process.pid variable looks like this:
open.file.path == "/proc/${process.pid}/maps"List of the available variables:
| SECL Variable | Definition | Agent Version |
|---|---|---|
process.pid | Process PID | 7.33 |
CIDR and IP matching is possible in SECL. One can use operators such as in, not in, or allin combined with CIDR or IP notations.
Such rules can be written as follows:
dns.question.name == "example.com" && network.destination.ip in ["192.168.1.25", "10.0.0.0/24"]Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.
The args_flags and args_options are helpers to ease the writing of CWS rules based on command line arguments.
args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.
Examples:
version is part of args_flags for the command cat --versionl and n both are in args_flags for the command netstat -lnargs_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.
Examples:
T=8 and width=8 both are in args_options for the command ls -T 8 --width=8exec.args_options ~= [ “s=.*\’” ] can be used to detect sudoedit was launched with -s argument and a command that ends with a \The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod commands.
| Property | Type | Definition |
|---|---|---|
container.id | string | ID of the container |
container.tags | string | Tags of the container |
network.destination.ip | IP/CIDR | IP address |
network.destination.port | int | Port number |
network.device.ifindex | int | interface ifindex |
network.device.ifname | string | interface ifname |
network.l3_protocol | int | l3 protocol of the network packet |
network.l4_protocol | int | l4 protocol of the network packet |
network.size | int | size in bytes of the network packet |
network.source.ip | IP/CIDR | IP address |
network.source.port | int | Port number |
process.ancestors.args | string | Arguments of the process (as a string) |
process.ancestors.args_flags | string | Arguments of the process (as an array) |
process.ancestors.args_options | string | Arguments of the process (as an array) |
process.ancestors.args_truncated | bool | Indicator of arguments truncation |
process.ancestors.argv | string | Arguments of the process (as an array) |
process.ancestors.argv0 | string | First argument of the process |
process.ancestors.cap_effective | int | Effective capability set of the process |
process.ancestors.cap_permitted | int | Permitted capability set of the process |
process.ancestors.comm | string | Comm attribute of the process |
process.ancestors.container.id | string | Container ID |
process.ancestors.cookie | int | Cookie of the process |
process.ancestors.created_at | int | Timestamp of the creation of the process |
process.ancestors.egid | int | Effective GID of the process |
process.ancestors.egroup | string | Effective group of the process |
process.ancestors.envp | string | Environment variables of the process |
process.ancestors.envs | string | Environment variable names of the process |
process.ancestors.envs_truncated | bool | Indicator of environment variables truncation |
process.ancestors.euid | int | Effective UID of the process |
process.ancestors.euser | string | Effective user of the process |
process.ancestors.file.change_time | int | Change time of the file |
process.ancestors.file.filesystem | string | File’s filesystem |
process.ancestors.file.gid | int | GID of the file’s owner |
process.ancestors.file.group | string | Group of the file’s owner |
process.ancestors.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
process.ancestors.file.inode | int | Inode of the file |
process.ancestors.file.mode | int | Mode/rights of the file |
process.ancestors.file.modification_time | int | Modification time of the file |
process.ancestors.file.mount_id | int | Mount ID of the file |
process.ancestors.file.name | string | File’s basename |
process.ancestors.file.path | string | File’s path |
process.ancestors.file.rights | int | Mode/rights of the file |
process.ancestors.file.uid | int | UID of the file’s owner |
process.ancestors.file.user | string | User of the file’s owner |
process.ancestors.fsgid | int | FileSystem-gid of the process |
process.ancestors.fsgroup | string | FileSystem-group of the process |
process.ancestors.fsuid | int | FileSystem-uid of the process |
process.ancestors.fsuser | string | FileSystem-user of the process |
process.ancestors.gid | int | GID of the process |
process.ancestors.group | string | Group of the process |
process.ancestors.pid | int | Process ID of the process (also called thread group ID) |
process.ancestors.ppid | int | Parent process ID |
process.ancestors.tid | int | Thread ID of the thread |
process.ancestors.tty_name | string | Name of the TTY associated with the process |
process.ancestors.uid | int | UID of the process |
process.ancestors.user | string | User of the process |
process.args | string | Arguments of the process (as a string) |
process.args_flags | string | Arguments of the process (as an array) |
process.args_options | string | Arguments of the process (as an array) |
process.args_truncated | bool | Indicator of arguments truncation |
process.argv | string | Arguments of the process (as an array) |
process.argv0 | string | First argument of the process |
process.cap_effective | int | Effective capability set of the process |
process.cap_permitted | int | Permitted capability set of the process |
process.comm | string | Comm attribute of the process |
process.container.id | string | Container ID |
process.cookie | int | Cookie of the process |
process.created_at | int | Timestamp of the creation of the process |
process.egid | int | Effective GID of the process |
process.egroup | string | Effective group of the process |
process.envp | string | Environment variables of the process |
process.envs | string | Environment variable names of the process |
process.envs_truncated | bool | Indicator of environment variables truncation |
process.euid | int | Effective UID of the process |
process.euser | string | Effective user of the process |
process.file.change_time | int | Change time of the file |
process.file.filesystem | string | File’s filesystem |
process.file.gid | int | GID of the file’s owner |
process.file.group | string | Group of the file’s owner |
process.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
process.file.inode | int | Inode of the file |
process.file.mode | int | Mode/rights of the file |
process.file.modification_time | int | Modification time of the file |
process.file.mount_id | int | Mount ID of the file |
process.file.name | string | File’s basename |
process.file.path | string | File’s path |
process.file.rights | int | Mode/rights of the file |
process.file.uid | int | UID of the file’s owner |
process.file.user | string | User of the file’s owner |
process.fsgid | int | FileSystem-gid of the process |
process.fsgroup | string | FileSystem-group of the process |
process.fsuid | int | FileSystem-uid of the process |
process.fsuser | string | FileSystem-user of the process |
process.gid | int | GID of the process |
process.group | string | Group of the process |
process.pid | int | Process ID of the process (also called thread group ID) |
process.ppid | int | Parent process ID |
process.tid | int | Thread ID of the thread |
process.tty_name | string | Name of the TTY associated with the process |
process.uid | int | UID of the process |
process.user | string | User of the process |
bindThis event type is experimental and may change in the future.
A bind was executed
| Property | Type | Definition |
|---|---|---|
bind.addr.family | int | Address family |
bind.addr.ip | IP/CIDR | IP address |
bind.addr.port | int | Port number |
bind.async | bool | True if the syscall was asynchronous |
bind.retval | int | Return value of the syscall |
bpfA BPF command was executed
| Property | Type | Definition |
|---|---|---|
bpf.async | bool | True if the syscall was asynchronous |
bpf.cmd | int | BPF command name |
bpf.map.name | string | Name of the eBPF map (added in 7.35) |
bpf.map.type | int | Type of the eBPF map |
bpf.prog.attach_type | int | Attach type of the eBPF program |
bpf.prog.helpers | int | eBPF helpers used by the eBPF program (added in 7.35) |
bpf.prog.name | string | Name of the eBPF program (added in 7.35) |
bpf.prog.tag | string | Hash (sha1) of the eBPF program (added in 7.35) |
bpf.prog.type | int | Type of the eBPF program |
bpf.retval | int | Return value of the syscall |
capsetA process changed its capacity set
| Property | Type | Definition |
|---|---|---|
capset.cap_effective | int | Effective capability set of the process |
capset.cap_permitted | int | Permitted capability set of the process |
chmodA file’s permissions were changed
| Property | Type | Definition |
|---|---|---|
chmod.async | bool | True if the syscall was asynchronous |
chmod.file.change_time | int | Change time of the file |
chmod.file.destination.mode | int | New mode/rights of the chmod-ed file |
chmod.file.destination.rights | int | New mode/rights of the chmod-ed file |
chmod.file.filesystem | string | File’s filesystem |
chmod.file.gid | int | GID of the file’s owner |
chmod.file.group | string | Group of the file’s owner |
chmod.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
chmod.file.inode | int | Inode of the file |
chmod.file.mode | int | Mode/rights of the file |
chmod.file.modification_time | int | Modification time of the file |
chmod.file.mount_id | int | Mount ID of the file |
chmod.file.name | string | File’s basename |
chmod.file.path | string | File’s path |
chmod.file.rights | int | Mode/rights of the file |
chmod.file.uid | int | UID of the file’s owner |
chmod.file.user | string | User of the file’s owner |
chmod.retval | int | Return value of the syscall |
chownA file’s owner was changed
| Property | Type | Definition |
|---|---|---|
chown.async | bool | True if the syscall was asynchronous |
chown.file.change_time | int | Change time of the file |
chown.file.destination.gid | int | New GID of the chown-ed file’s owner |
chown.file.destination.group | string | New group of the chown-ed file’s owner |
chown.file.destination.uid | int | New UID of the chown-ed file’s owner |
chown.file.destination.user | string | New user of the chown-ed file’s owner |
chown.file.filesystem | string | File’s filesystem |
chown.file.gid | int | GID of the file’s owner |
chown.file.group | string | Group of the file’s owner |
chown.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
chown.file.inode | int | Inode of the file |
chown.file.mode | int | Mode/rights of the file |
chown.file.modification_time | int | Modification time of the file |
chown.file.mount_id | int | Mount ID of the file |
chown.file.name | string | File’s basename |
chown.file.path | string | File’s path |
chown.file.rights | int | Mode/rights of the file |
chown.file.uid | int | UID of the file’s owner |
chown.file.user | string | User of the file’s owner |
chown.retval | int | Return value of the syscall |
dnsA DNS request was sent
| Property | Type | Definition |
|---|---|---|
dns.question.class | int | the class looked up by the DNS question |
dns.question.count | int | the total count of questions in the DNS request |
dns.question.name | string | the queried domain name |
dns.question.size | int | the total DNS request size in bytes |
dns.question.type | int | a two octet code which specifies the DNS question type |
execA process was executed or forked
| Property | Type | Definition |
|---|---|---|
exec.args | string | Arguments of the process (as a string) |
exec.args_flags | string | Arguments of the process (as an array) |
exec.args_options | string | Arguments of the process (as an array) |
exec.args_truncated | bool | Indicator of arguments truncation |
exec.argv | string | Arguments of the process (as an array) |
exec.argv0 | string | First argument of the process |
exec.cap_effective | int | Effective capability set of the process |
exec.cap_permitted | int | Permitted capability set of the process |
exec.comm | string | Comm attribute of the process |
exec.container.id | string | Container ID |
exec.cookie | int | Cookie of the process |
exec.created_at | int | Timestamp of the creation of the process |
exec.egid | int | Effective GID of the process |
exec.egroup | string | Effective group of the process |
exec.envp | string | Environment variables of the process |
exec.envs | string | Environment variable names of the process |
exec.envs_truncated | bool | Indicator of environment variables truncation |
exec.euid | int | Effective UID of the process |
exec.euser | string | Effective user of the process |
exec.file.change_time | int | Change time of the file |
exec.file.filesystem | string | File’s filesystem |
exec.file.gid | int | GID of the file’s owner |
exec.file.group | string | Group of the file’s owner |
exec.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
exec.file.inode | int | Inode of the file |
exec.file.mode | int | Mode/rights of the file |
exec.file.modification_time | int | Modification time of the file |
exec.file.mount_id | int | Mount ID of the file |
exec.file.name | string | File’s basename |
exec.file.path | string | File’s path |
exec.file.rights | int | Mode/rights of the file |
exec.file.uid | int | UID of the file’s owner |
exec.file.user | string | User of the file’s owner |
exec.fsgid | int | FileSystem-gid of the process |
exec.fsgroup | string | FileSystem-group of the process |
exec.fsuid | int | FileSystem-uid of the process |
exec.fsuser | string | FileSystem-user of the process |
exec.gid | int | GID of the process |
exec.group | string | Group of the process |
exec.pid | int | Process ID of the process (also called thread group ID) |
exec.ppid | int | Parent process ID |
exec.tid | int | Thread ID of the thread |
exec.tty_name | string | Name of the TTY associated with the process |
exec.uid | int | UID of the process |
exec.user | string | User of the process |
linkCreate a new name/alias for a file
| Property | Type | Definition |
|---|---|---|
link.async | bool | True if the syscall was asynchronous |
link.file.change_time | int | Change time of the file |
link.file.destination.change_time | int | Change time of the file |
link.file.destination.filesystem | string | File’s filesystem |
link.file.destination.gid | int | GID of the file’s owner |
link.file.destination.group | string | Group of the file’s owner |
link.file.destination.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
link.file.destination.inode | int | Inode of the file |
link.file.destination.mode | int | Mode/rights of the file |
link.file.destination.modification_time | int | Modification time of the file |
link.file.destination.mount_id | int | Mount ID of the file |
link.file.destination.name | string | File’s basename |
link.file.destination.path | string | File’s path |
link.file.destination.rights | int | Mode/rights of the file |
link.file.destination.uid | int | UID of the file’s owner |
link.file.destination.user | string | User of the file’s owner |
link.file.filesystem | string | File’s filesystem |
link.file.gid | int | GID of the file’s owner |
link.file.group | string | Group of the file’s owner |
link.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
link.file.inode | int | Inode of the file |
link.file.mode | int | Mode/rights of the file |
link.file.modification_time | int | Modification time of the file |
link.file.mount_id | int | Mount ID of the file |
link.file.name | string | File’s basename |
link.file.path | string | File’s path |
link.file.rights | int | Mode/rights of the file |
link.file.uid | int | UID of the file’s owner |
link.file.user | string | User of the file’s owner |
link.retval | int | Return value of the syscall |
load_moduleA new kernel module was loaded
| Property | Type | Definition |
|---|---|---|
load_module.async | bool | True if the syscall was asynchronous |
load_module.file.change_time | int | Change time of the file |
load_module.file.filesystem | string | File’s filesystem |
load_module.file.gid | int | GID of the file’s owner |
load_module.file.group | string | Group of the file’s owner |
load_module.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
load_module.file.inode | int | Inode of the file |
load_module.file.mode | int | Mode/rights of the file |
load_module.file.modification_time | int | Modification time of the file |
load_module.file.mount_id | int | Mount ID of the file |
load_module.file.name | string | File’s basename |
load_module.file.path | string | File’s path |
load_module.file.rights | int | Mode/rights of the file |
load_module.file.uid | int | UID of the file’s owner |
load_module.file.user | string | User of the file’s owner |
load_module.loaded_from_memory | bool | Indicates if the kernel module was loaded from memory |
load_module.name | string | Name of the new kernel module |
load_module.retval | int | Return value of the syscall |
mkdirA directory was created
| Property | Type | Definition |
|---|---|---|
mkdir.async | bool | True if the syscall was asynchronous |
mkdir.file.change_time | int | Change time of the file |
mkdir.file.destination.mode | int | Mode/rights of the new directory |
mkdir.file.destination.rights | int | Mode/rights of the new directory |
mkdir.file.filesystem | string | File’s filesystem |
mkdir.file.gid | int | GID of the file’s owner |
mkdir.file.group | string | Group of the file’s owner |
mkdir.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
mkdir.file.inode | int | Inode of the file |
mkdir.file.mode | int | Mode/rights of the file |
mkdir.file.modification_time | int | Modification time of the file |
mkdir.file.mount_id | int | Mount ID of the file |
mkdir.file.name | string | File’s basename |
mkdir.file.path | string | File’s path |
mkdir.file.rights | int | Mode/rights of the file |
mkdir.file.uid | int | UID of the file’s owner |
mkdir.file.user | string | User of the file’s owner |
mkdir.retval | int | Return value of the syscall |
mmapA mmap command was executed
| Property | Type | Definition |
|---|---|---|
mmap.async | bool | True if the syscall was asynchronous |
mmap.file.change_time | int | Change time of the file |
mmap.file.filesystem | string | File’s filesystem |
mmap.file.gid | int | GID of the file’s owner |
mmap.file.group | string | Group of the file’s owner |
mmap.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
mmap.file.inode | int | Inode of the file |
mmap.file.mode | int | Mode/rights of the file |
mmap.file.modification_time | int | Modification time of the file |
mmap.file.mount_id | int | Mount ID of the file |
mmap.file.name | string | File’s basename |
mmap.file.path | string | File’s path |
mmap.file.rights | int | Mode/rights of the file |
mmap.file.uid | int | UID of the file’s owner |
mmap.file.user | string | User of the file’s owner |
mmap.flags | int | memory segment flags |
mmap.protection | int | memory segment protection |
mmap.retval | int | Return value of the syscall |
mprotectA mprotect command was executed
| Property | Type | Definition |
|---|---|---|
mprotect.async | bool | True if the syscall was asynchronous |
mprotect.req_protection | int | new memory segment protection |
mprotect.retval | int | Return value of the syscall |
mprotect.vm_protection | int | initial memory segment protection |
openA file was opened
| Property | Type | Definition |
|---|---|---|
open.async | bool | True if the syscall was asynchronous |
open.file.change_time | int | Change time of the file |
open.file.destination.mode | int | Mode of the created file |
open.file.filesystem | string | File’s filesystem |
open.file.gid | int | GID of the file’s owner |
open.file.group | string | Group of the file’s owner |
open.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
open.file.inode | int | Inode of the file |
open.file.mode | int | Mode/rights of the file |
open.file.modification_time | int | Modification time of the file |
open.file.mount_id | int | Mount ID of the file |
open.file.name | string | File’s basename |
open.file.path | string | File’s path |
open.file.rights | int | Mode/rights of the file |
open.file.uid | int | UID of the file’s owner |
open.file.user | string | User of the file’s owner |
open.flags | int | Flags used when opening the file |
open.retval | int | Return value of the syscall |
ptraceA ptrace command was executed
| Property | Type | Definition |
|---|---|---|
ptrace.async | bool | True if the syscall was asynchronous |
ptrace.request | int | ptrace request |
ptrace.retval | int | Return value of the syscall |
ptrace.tracee.ancestors.args | string | Arguments of the process (as a string) |
ptrace.tracee.ancestors.args_flags | string | Arguments of the process (as an array) |
ptrace.tracee.ancestors.args_options | string | Arguments of the process (as an array) |
ptrace.tracee.ancestors.args_truncated | bool | Indicator of arguments truncation |
ptrace.tracee.ancestors.argv | string | Arguments of the process (as an array) |
ptrace.tracee.ancestors.argv0 | string | First argument of the process |
ptrace.tracee.ancestors.cap_effective | int | Effective capability set of the process |
ptrace.tracee.ancestors.cap_permitted | int | Permitted capability set of the process |
ptrace.tracee.ancestors.comm | string | Comm attribute of the process |
ptrace.tracee.ancestors.container.id | string | Container ID |
ptrace.tracee.ancestors.cookie | int | Cookie of the process |
ptrace.tracee.ancestors.created_at | int | Timestamp of the creation of the process |
ptrace.tracee.ancestors.egid | int | Effective GID of the process |
ptrace.tracee.ancestors.egroup | string | Effective group of the process |
ptrace.tracee.ancestors.envp | string | Environment variables of the process |
ptrace.tracee.ancestors.envs | string | Environment variable names of the process |
ptrace.tracee.ancestors.envs_truncated | bool | Indicator of environment variables truncation |
ptrace.tracee.ancestors.euid | int | Effective UID of the process |
ptrace.tracee.ancestors.euser | string | Effective user of the process |
ptrace.tracee.ancestors.file.change_time | int | Change time of the file |
ptrace.tracee.ancestors.file.filesystem | string | File’s filesystem |
ptrace.tracee.ancestors.file.gid | int | GID of the file’s owner |
ptrace.tracee.ancestors.file.group | string | Group of the file’s owner |
ptrace.tracee.ancestors.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
ptrace.tracee.ancestors.file.inode | int | Inode of the file |
ptrace.tracee.ancestors.file.mode | int | Mode/rights of the file |
ptrace.tracee.ancestors.file.modification_time | int | Modification time of the file |
ptrace.tracee.ancestors.file.mount_id | int | Mount ID of the file |
ptrace.tracee.ancestors.file.name | string | File’s basename |
ptrace.tracee.ancestors.file.path | string | File’s path |
ptrace.tracee.ancestors.file.rights | int | Mode/rights of the file |
ptrace.tracee.ancestors.file.uid | int | UID of the file’s owner |
ptrace.tracee.ancestors.file.user | string | User of the file’s owner |
ptrace.tracee.ancestors.fsgid | int | FileSystem-gid of the process |
ptrace.tracee.ancestors.fsgroup | string | FileSystem-group of the process |
ptrace.tracee.ancestors.fsuid | int | FileSystem-uid of the process |
ptrace.tracee.ancestors.fsuser | string | FileSystem-user of the process |
ptrace.tracee.ancestors.gid | int | GID of the process |
ptrace.tracee.ancestors.group | string | Group of the process |
ptrace.tracee.ancestors.pid | int | Process ID of the process (also called thread group ID) |
ptrace.tracee.ancestors.ppid | int | Parent process ID |
ptrace.tracee.ancestors.tid | int | Thread ID of the thread |
ptrace.tracee.ancestors.tty_name | string | Name of the TTY associated with the process |
ptrace.tracee.ancestors.uid | int | UID of the process |
ptrace.tracee.ancestors.user | string | User of the process |
ptrace.tracee.args | string | Arguments of the process (as a string) |
ptrace.tracee.args_flags | string | Arguments of the process (as an array) |
ptrace.tracee.args_options | string | Arguments of the process (as an array) |
ptrace.tracee.args_truncated | bool | Indicator of arguments truncation |
ptrace.tracee.argv | string | Arguments of the process (as an array) |
ptrace.tracee.argv0 | string | First argument of the process |
ptrace.tracee.cap_effective | int | Effective capability set of the process |
ptrace.tracee.cap_permitted | int | Permitted capability set of the process |
ptrace.tracee.comm | string | Comm attribute of the process |
ptrace.tracee.container.id | string | Container ID |
ptrace.tracee.cookie | int | Cookie of the process |
ptrace.tracee.created_at | int | Timestamp of the creation of the process |
ptrace.tracee.egid | int | Effective GID of the process |
ptrace.tracee.egroup | string | Effective group of the process |
ptrace.tracee.envp | string | Environment variables of the process |
ptrace.tracee.envs | string | Environment variable names of the process |
ptrace.tracee.envs_truncated | bool | Indicator of environment variables truncation |
ptrace.tracee.euid | int | Effective UID of the process |
ptrace.tracee.euser | string | Effective user of the process |
ptrace.tracee.file.change_time | int | Change time of the file |
ptrace.tracee.file.filesystem | string | File’s filesystem |
ptrace.tracee.file.gid | int | GID of the file’s owner |
ptrace.tracee.file.group | string | Group of the file’s owner |
ptrace.tracee.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
ptrace.tracee.file.inode | int | Inode of the file |
ptrace.tracee.file.mode | int | Mode/rights of the file |
ptrace.tracee.file.modification_time | int | Modification time of the file |
ptrace.tracee.file.mount_id | int | Mount ID of the file |
ptrace.tracee.file.name | string | File’s basename |
ptrace.tracee.file.path | string | File’s path |
ptrace.tracee.file.rights | int | Mode/rights of the file |
ptrace.tracee.file.uid | int | UID of the file’s owner |
ptrace.tracee.file.user | string | User of the file’s owner |
ptrace.tracee.fsgid | int | FileSystem-gid of the process |
ptrace.tracee.fsgroup | string | FileSystem-group of the process |
ptrace.tracee.fsuid | int | FileSystem-uid of the process |
ptrace.tracee.fsuser | string | FileSystem-user of the process |
ptrace.tracee.gid | int | GID of the process |
ptrace.tracee.group | string | Group of the process |
ptrace.tracee.pid | int | Process ID of the process (also called thread group ID) |
ptrace.tracee.ppid | int | Parent process ID |
ptrace.tracee.tid | int | Thread ID of the thread |
ptrace.tracee.tty_name | string | Name of the TTY associated with the process |
ptrace.tracee.uid | int | UID of the process |
ptrace.tracee.user | string | User of the process |
removexattrRemove extended attributes
| Property | Type | Definition |
|---|---|---|
removexattr.async | bool | True if the syscall was asynchronous |
removexattr.file.change_time | int | Change time of the file |
removexattr.file.destination.name | string | Name of the extended attribute |
removexattr.file.destination.namespace | string | Namespace of the extended attribute |
removexattr.file.filesystem | string | File’s filesystem |
removexattr.file.gid | int | GID of the file’s owner |
removexattr.file.group | string | Group of the file’s owner |
removexattr.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
removexattr.file.inode | int | Inode of the file |
removexattr.file.mode | int | Mode/rights of the file |
removexattr.file.modification_time | int | Modification time of the file |
removexattr.file.mount_id | int | Mount ID of the file |
removexattr.file.name | string | File’s basename |
removexattr.file.path | string | File’s path |
removexattr.file.rights | int | Mode/rights of the file |
removexattr.file.uid | int | UID of the file’s owner |
removexattr.file.user | string | User of the file’s owner |
removexattr.retval | int | Return value of the syscall |
renameA file/directory was renamed
| Property | Type | Definition |
|---|---|---|
rename.async | bool | True if the syscall was asynchronous |
rename.file.change_time | int | Change time of the file |
rename.file.destination.change_time | int | Change time of the file |
rename.file.destination.filesystem | string | File’s filesystem |
rename.file.destination.gid | int | GID of the file’s owner |
rename.file.destination.group | string | Group of the file’s owner |
rename.file.destination.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
rename.file.destination.inode | int | Inode of the file |
rename.file.destination.mode | int | Mode/rights of the file |
rename.file.destination.modification_time | int | Modification time of the file |
rename.file.destination.mount_id | int | Mount ID of the file |
rename.file.destination.name | string | File’s basename |
rename.file.destination.path | string | File’s path |
rename.file.destination.rights | int | Mode/rights of the file |
rename.file.destination.uid | int | UID of the file’s owner |
rename.file.destination.user | string | User of the file’s owner |
rename.file.filesystem | string | File’s filesystem |
rename.file.gid | int | GID of the file’s owner |
rename.file.group | string | Group of the file’s owner |
rename.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
rename.file.inode | int | Inode of the file |
rename.file.mode | int | Mode/rights of the file |
rename.file.modification_time | int | Modification time of the file |
rename.file.mount_id | int | Mount ID of the file |
rename.file.name | string | File’s basename |
rename.file.path | string | File’s path |
rename.file.rights | int | Mode/rights of the file |
rename.file.uid | int | UID of the file’s owner |
rename.file.user | string | User of the file’s owner |
rename.retval | int | Return value of the syscall |
rmdirA directory was removed
| Property | Type | Definition |
|---|---|---|
rmdir.async | bool | True if the syscall was asynchronous |
rmdir.file.change_time | int | Change time of the file |
rmdir.file.filesystem | string | File’s filesystem |
rmdir.file.gid | int | GID of the file’s owner |
rmdir.file.group | string | Group of the file’s owner |
rmdir.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
rmdir.file.inode | int | Inode of the file |
rmdir.file.mode | int | Mode/rights of the file |
rmdir.file.modification_time | int | Modification time of the file |
rmdir.file.mount_id | int | Mount ID of the file |
rmdir.file.name | string | File’s basename |
rmdir.file.path | string | File’s path |
rmdir.file.rights | int | Mode/rights of the file |
rmdir.file.uid | int | UID of the file’s owner |
rmdir.file.user | string | User of the file’s owner |
rmdir.retval | int | Return value of the syscall |
selinuxAn SELinux operation was run
| Property | Type | Definition |
|---|---|---|
selinux.bool.name | string | SELinux boolean name |
selinux.bool.state | string | SELinux boolean new value |
selinux.bool_commit.state | bool | Indicator of a SELinux boolean commit operation |
selinux.enforce.status | string | SELinux enforcement status (one of “enforcing”, “permissive”, “disabled”") |
setgidA process changed its effective gid
| Property | Type | Definition |
|---|---|---|
setgid.egid | int | New effective GID of the process |
setgid.egroup | string | New effective group of the process |
setgid.fsgid | int | New FileSystem GID of the process |
setgid.fsgroup | string | New FileSystem group of the process |
setgid.gid | int | New GID of the process |
setgid.group | string | New group of the process |
setuidA process changed its effective uid
| Property | Type | Definition |
|---|---|---|
setuid.euid | int | New effective UID of the process |
setuid.euser | string | New effective user of the process |
setuid.fsuid | int | New FileSystem UID of the process |
setuid.fsuser | string | New FileSystem user of the process |
setuid.uid | int | New UID of the process |
setuid.user | string | New user of the process |
setxattrSet exteneded attributes
| Property | Type | Definition |
|---|---|---|
setxattr.async | bool | True if the syscall was asynchronous |
setxattr.file.change_time | int | Change time of the file |
setxattr.file.destination.name | string | Name of the extended attribute |
setxattr.file.destination.namespace | string | Namespace of the extended attribute |
setxattr.file.filesystem | string | File’s filesystem |
setxattr.file.gid | int | GID of the file’s owner |
setxattr.file.group | string | Group of the file’s owner |
setxattr.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
setxattr.file.inode | int | Inode of the file |
setxattr.file.mode | int | Mode/rights of the file |
setxattr.file.modification_time | int | Modification time of the file |
setxattr.file.mount_id | int | Mount ID of the file |
setxattr.file.name | string | File’s basename |
setxattr.file.path | string | File’s path |
setxattr.file.rights | int | Mode/rights of the file |
setxattr.file.uid | int | UID of the file’s owner |
setxattr.file.user | string | User of the file’s owner |
setxattr.retval | int | Return value of the syscall |
signalA signal was sent
| Property | Type | Definition |
|---|---|---|
signal.async | bool | True if the syscall was asynchronous |
signal.pid | int | Target PID |
signal.retval | int | Return value of the syscall |
signal.target.ancestors.args | string | Arguments of the process (as a string) |
signal.target.ancestors.args_flags | string | Arguments of the process (as an array) |
signal.target.ancestors.args_options | string | Arguments of the process (as an array) |
signal.target.ancestors.args_truncated | bool | Indicator of arguments truncation |
signal.target.ancestors.argv | string | Arguments of the process (as an array) |
signal.target.ancestors.argv0 | string | First argument of the process |
signal.target.ancestors.cap_effective | int | Effective capability set of the process |
signal.target.ancestors.cap_permitted | int | Permitted capability set of the process |
signal.target.ancestors.comm | string | Comm attribute of the process |
signal.target.ancestors.container.id | string | Container ID |
signal.target.ancestors.cookie | int | Cookie of the process |
signal.target.ancestors.created_at | int | Timestamp of the creation of the process |
signal.target.ancestors.egid | int | Effective GID of the process |
signal.target.ancestors.egroup | string | Effective group of the process |
signal.target.ancestors.envp | string | Environment variables of the process |
signal.target.ancestors.envs | string | Environment variable names of the process |
signal.target.ancestors.envs_truncated | bool | Indicator of environment variables truncation |
signal.target.ancestors.euid | int | Effective UID of the process |
signal.target.ancestors.euser | string | Effective user of the process |
signal.target.ancestors.file.change_time | int | Change time of the file |
signal.target.ancestors.file.filesystem | string | File’s filesystem |
signal.target.ancestors.file.gid | int | GID of the file’s owner |
signal.target.ancestors.file.group | string | Group of the file’s owner |
signal.target.ancestors.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
signal.target.ancestors.file.inode | int | Inode of the file |
signal.target.ancestors.file.mode | int | Mode/rights of the file |
signal.target.ancestors.file.modification_time | int | Modification time of the file |
signal.target.ancestors.file.mount_id | int | Mount ID of the file |
signal.target.ancestors.file.name | string | File’s basename |
signal.target.ancestors.file.path | string | File’s path |
signal.target.ancestors.file.rights | int | Mode/rights of the file |
signal.target.ancestors.file.uid | int | UID of the file’s owner |
signal.target.ancestors.file.user | string | User of the file’s owner |
signal.target.ancestors.fsgid | int | FileSystem-gid of the process |
signal.target.ancestors.fsgroup | string | FileSystem-group of the process |
signal.target.ancestors.fsuid | int | FileSystem-uid of the process |
signal.target.ancestors.fsuser | string | FileSystem-user of the process |
signal.target.ancestors.gid | int | GID of the process |
signal.target.ancestors.group | string | Group of the process |
signal.target.ancestors.pid | int | Process ID of the process (also called thread group ID) |
signal.target.ancestors.ppid | int | Parent process ID |
signal.target.ancestors.tid | int | Thread ID of the thread |
signal.target.ancestors.tty_name | string | Name of the TTY associated with the process |
signal.target.ancestors.uid | int | UID of the process |
signal.target.ancestors.user | string | User of the process |
signal.target.args | string | Arguments of the process (as a string) |
signal.target.args_flags | string | Arguments of the process (as an array) |
signal.target.args_options | string | Arguments of the process (as an array) |
signal.target.args_truncated | bool | Indicator of arguments truncation |
signal.target.argv | string | Arguments of the process (as an array) |
signal.target.argv0 | string | First argument of the process |
signal.target.cap_effective | int | Effective capability set of the process |
signal.target.cap_permitted | int | Permitted capability set of the process |
signal.target.comm | string | Comm attribute of the process |
signal.target.container.id | string | Container ID |
signal.target.cookie | int | Cookie of the process |
signal.target.created_at | int | Timestamp of the creation of the process |
signal.target.egid | int | Effective GID of the process |
signal.target.egroup | string | Effective group of the process |
signal.target.envp | string | Environment variables of the process |
signal.target.envs | string | Environment variable names of the process |
signal.target.envs_truncated | bool | Indicator of environment variables truncation |
signal.target.euid | int | Effective UID of the process |
signal.target.euser | string | Effective user of the process |
signal.target.file.change_time | int | Change time of the file |
signal.target.file.filesystem | string | File’s filesystem |
signal.target.file.gid | int | GID of the file’s owner |
signal.target.file.group | string | Group of the file’s owner |
signal.target.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
signal.target.file.inode | int | Inode of the file |
signal.target.file.mode | int | Mode/rights of the file |
signal.target.file.modification_time | int | Modification time of the file |
signal.target.file.mount_id | int | Mount ID of the file |
signal.target.file.name | string | File’s basename |
signal.target.file.path | string | File’s path |
signal.target.file.rights | int | Mode/rights of the file |
signal.target.file.uid | int | UID of the file’s owner |
signal.target.file.user | string | User of the file’s owner |
signal.target.fsgid | int | FileSystem-gid of the process |
signal.target.fsgroup | string | FileSystem-group of the process |
signal.target.fsuid | int | FileSystem-uid of the process |
signal.target.fsuser | string | FileSystem-user of the process |
signal.target.gid | int | GID of the process |
signal.target.group | string | Group of the process |
signal.target.pid | int | Process ID of the process (also called thread group ID) |
signal.target.ppid | int | Parent process ID |
signal.target.tid | int | Thread ID of the thread |
signal.target.tty_name | string | Name of the TTY associated with the process |
signal.target.uid | int | UID of the process |
signal.target.user | string | User of the process |
signal.type | int | Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc) |
spliceA splice command was executed
| Property | Type | Definition |
|---|---|---|
splice.async | bool | True if the syscall was asynchronous |
splice.file.change_time | int | Change time of the file |
splice.file.filesystem | string | File’s filesystem |
splice.file.gid | int | GID of the file’s owner |
splice.file.group | string | Group of the file’s owner |
splice.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
splice.file.inode | int | Inode of the file |
splice.file.mode | int | Mode/rights of the file |
splice.file.modification_time | int | Modification time of the file |
splice.file.mount_id | int | Mount ID of the file |
splice.file.name | string | File’s basename |
splice.file.path | string | File’s path |
splice.file.rights | int | Mode/rights of the file |
splice.file.uid | int | UID of the file’s owner |
splice.file.user | string | User of the file’s owner |
splice.pipe_entry_flag | int | Entry flag of the “fd_out” pipe passed to the splice syscall |
splice.pipe_exit_flag | int | Exit flag of the “fd_out” pipe passed to the splice syscall |
splice.retval | int | Return value of the syscall |
unlinkA file was deleted
| Property | Type | Definition |
|---|---|---|
unlink.async | bool | True if the syscall was asynchronous |
unlink.file.change_time | int | Change time of the file |
unlink.file.filesystem | string | File’s filesystem |
unlink.file.gid | int | GID of the file’s owner |
unlink.file.group | string | Group of the file’s owner |
unlink.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
unlink.file.inode | int | Inode of the file |
unlink.file.mode | int | Mode/rights of the file |
unlink.file.modification_time | int | Modification time of the file |
unlink.file.mount_id | int | Mount ID of the file |
unlink.file.name | string | File’s basename |
unlink.file.path | string | File’s path |
unlink.file.rights | int | Mode/rights of the file |
unlink.file.uid | int | UID of the file’s owner |
unlink.file.user | string | User of the file’s owner |
unlink.retval | int | Return value of the syscall |
unload_moduleA kernel module was deleted
| Property | Type | Definition |
|---|---|---|
unload_module.async | bool | True if the syscall was asynchronous |
unload_module.name | string | Name of the kernel module that was deleted |
unload_module.retval | int | Return value of the syscall |
utimesChange file access/modification times
| Property | Type | Definition |
|---|---|---|
utimes.async | bool | True if the syscall was asynchronous |
utimes.file.change_time | int | Change time of the file |
utimes.file.filesystem | string | File’s filesystem |
utimes.file.gid | int | GID of the file’s owner |
utimes.file.group | string | Group of the file’s owner |
utimes.file.in_upper_layer | bool | Indicator of the file layer, in an OverlayFS for example |
utimes.file.inode | int | Inode of the file |
utimes.file.mode | int | Mode/rights of the file |
utimes.file.modification_time | int | Modification time of the file |
utimes.file.mount_id | int | Mount ID of the file |
utimes.file.name | string | File’s basename |
utimes.file.path | string | File’s path |
utimes.file.rights | int | Mode/rights of the file |
utimes.file.uid | int | UID of the file’s owner |
utimes.file.user | string | User of the file’s owner |
utimes.retval | int | Return value of the syscall |
お役に立つドキュメント、リンクや記事:
