Cloud Security Management Threats (CSM Threats) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CSM Threats rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:
Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:
SECL Event
Type
Definition
Agent Version
bind
Network
A bind was executed
7.37
bpf
Kernel
A BPF command was executed
7.33
capset
Process
A process changed its capacity set
7.27
chdir
File
[Experimental] A process changed the current directory
7.52
chmod
File
A file’s permissions were changed
7.27
chown
File
A file’s owner was changed
7.27
dns
Network
A DNS request was sent
7.36
exec
Process
A process was executed or forked
7.27
exit
Process
A process was terminated
7.38
link
File
Create a new name/alias for a file
7.27
load_module
Kernel
A new kernel module was loaded
7.35
mkdir
File
A directory was created
7.27
mmap
Kernel
A mmap command was executed
7.35
mount
File
[Experimental] A filesystem was mounted
7.42
mprotect
Kernel
A mprotect command was executed
7.35
open
File
A file was opened
7.27
ptrace
Kernel
A ptrace command was executed
7.35
removexattr
File
Remove extended attributes
7.27
rename
File
A file/directory was renamed
7.27
rmdir
File
A directory was removed
7.27
selinux
Kernel
An SELinux operation was run
7.30
setgid
Process
A process changed its effective gid
7.27
setuid
Process
A process changed its effective uid
7.27
setxattr
File
Set exteneded attributes
7.27
signal
Process
A signal was sent
7.35
splice
File
A splice command was executed
7.36
unlink
File
A file was deleted
7.27
unload_module
Kernel
A kernel module was deleted
7.35
utimes
File
Change file access/modification times
7.27
Operators
SECL operators are used to combine event attributes together into a full expression. The following operators are available:
SECL Operator
Types
Definition
Agent Version
==
Process
Equal
7.27
!=
File
Not equal
7.27
>
File
Greater
7.27
>=
File
Greater or equal
7.27
<
File
Lesser
7.27
<=
File
Lesser or equal
7.27
!
File
Not
7.27
^
File
Binary not
7.27
in [elem1, ...]
File
Element is contained in list
7.27
not in [elem1, ...]
File
Element is not contained in list
7.27
=~
File
String matching
7.27
!~
File
String not matching
7.27
&
File
Binary and
7.27
|
File
Binary or
7.27
&&
File
Logical and
7.27
||
File
Logical or
7.27
in CIDR
Network
Element is in the IP range
7.37
not in CIDR
Network
Element is not in the IP range
7.37
allin CIDR
Network
All the elements are in the IP range
7.37
in [CIDR1, ...]
Network
Element is in the IP ranges
7.37
not in [CIDR1, ...]
Network
Element is not in the IP ranges
7.37
allin [CIDR1, ...]
Network
All the elements are in the IP ranges
7.37
Patterns and regular expressions
Patterns or regular expressions can be used in SECL expressions. They can be used with the in, not in, =~, and !~ operators.
Format
Example
Supported Fields
Agent Version
~"pattern"
~"httpd.*"
All
7.27
r"regexp"
r"rc[0-9]+"
All except .path
7.27
Patterns on .path fields will be used as Glob. * will match files and folders at the same level. **, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.
Duration
You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created.
Such a rule could be written as follows:
Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.
Command line arguments
The args_flags and args_options are helpers to ease the writing of CSM Threats rules based on command line arguments.
args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.
Examples:
version is part of args_flags for the command cat --version
l and n both are in args_flags for the command netstat -ln
args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.
Examples:
T=8 and width=8 both are in args_options for the command ls -T 8 --width=8
exec.args_options in [ r"s=.*\\" ] can be used to detect sudoedit was launched with -s argument and a command that ends with a \
File rights
The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod commands.
Definition: Arguments of the process (as a string, excluding argv0)
*.args has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
Matches any process that has the “-F” argument anywhere before an argument starting with “http”.
*.args_flags
Type: string
Definition: Flags in the process arguments
*.args_flags has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
Example:
exec.args_flagsin["s"]&&exec.args_flagsin["V"]
Matches any process with both “-s” and “-V” flags in its arguments. Also matches “-sV”.
*.args_options
Type: string
Definition: Argument of the process as options
*.args_options has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
Example:
exec.args_optionsin["p=0-1024"]
Matches any process that has either “-p 0-1024” or “–p=0-1024” in its arguments.
*.args_truncated
Type: bool
Definition: Indicator of arguments truncation
*.args_truncated has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.argv
Type: string
Definition: Arguments of the process (as an array, excluding argv0)
*.argv has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
Example:
exec.argvin["127.0.0.1"]
Matches any process that has this IP address as one of its arguments.
*.argv0
Type: string
Definition: First argument of the process
*.argv0 has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.cap_effective
Type: int
Definition: Effective capability set of the process
*.cap_effective has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
Definition: Permitted capability set of the process
*.cap_permitted has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.change_time has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.comm
Type: string
Definition: Comm attribute of the process
*.comm has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.container.id
Type: string
Definition: Container ID
*.container.id has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.created_at
Type: int
Definition: Timestamp of the creation of the process
*.created_at has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.egid
Type: int
Definition: Effective GID of the process
*.egid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.egroup
Type: string
Definition: Effective group of the process
*.egroup has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.envp
Type: string
Definition: Environment variables of the process
*.envp has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.envs
Type: string
Definition: Environment variable names of the process
*.envs has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.envs_truncated
Type: bool
Definition: Indicator of environment variables truncation
*.envs_truncated has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.euid
Type: int
Definition: Effective UID of the process
*.euid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.euser
Type: string
Definition: Effective user of the process
*.euser has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.file.destination.name
Type: string
Definition: Name of the extended attribute
*.file.destination.name has 2 possible prefixes:
removexattrsetxattr
*.file.destination.namespace
Type: string
Definition: Namespace of the extended attribute
*.file.destination.namespace has 2 possible prefixes:
removexattrsetxattr
*.filesystem
Type: string
Definition: File’s filesystem
*.filesystem has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.fsgid
Type: int
Definition: FileSystem-gid of the process
*.fsgid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.fsgroup
Type: string
Definition: FileSystem-group of the process
*.fsgroup has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.fsuid
Type: int
Definition: FileSystem-uid of the process
*.fsuid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.fsuser
Type: string
Definition: FileSystem-user of the process
*.fsuser has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.gid
Type: int
Definition: GID of the process
*.gid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.gid
Type: int
Definition: GID of the file’s owner
*.gid has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.group
Type: string
Definition: Group of the process
*.group has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.group
Type: string
Definition: Group of the file’s owner
*.group has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.hashes
Type: string
Definition: [Experimental] List of cryptographic hashes computed for this file
*.hashes has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.in_upper_layer
Type: bool
Definition: Indicator of the file layer, for example, in an OverlayFS
*.in_upper_layer has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.inode
Type: int
Definition: Inode of the file
*.inode has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.ip
Type: IP/CIDR
Definition: IP address
*.ip has 3 possible prefixes:
bind.addrnetwork.destinationnetwork.source
*.is_kworker
Type: bool
Definition: Indicates whether the process is a kworker
*.is_kworker has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.is_thread
Type: bool
Definition: Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
*.is_thread has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.k8s_groups
Type: string
Definition: Kubernetes groups of the user that executed the process
*.k8s_groups has 11 possible prefixes:
exec.user_sessionexit.user_sessionprocess.ancestors.user_sessionprocess.parent.user_sessionprocess.user_sessionptrace.tracee.ancestors.user_sessionptrace.tracee.parent.user_sessionptrace.tracee.user_sessionsignal.target.ancestors.user_sessionsignal.target.parent.user_sessionsignal.target.user_session
*.k8s_uid
Type: string
Definition: Kubernetes UID of the user that executed the process
*.k8s_uid has 11 possible prefixes:
exec.user_sessionexit.user_sessionprocess.ancestors.user_sessionprocess.parent.user_sessionprocess.user_sessionptrace.tracee.ancestors.user_sessionptrace.tracee.parent.user_sessionptrace.tracee.user_sessionsignal.target.ancestors.user_sessionsignal.target.parent.user_sessionsignal.target.user_session
*.k8s_username
Type: string
Definition: Kubernetes username of the user that executed the process
*.k8s_username has 11 possible prefixes:
exec.user_sessionexit.user_sessionprocess.ancestors.user_sessionprocess.parent.user_sessionprocess.user_sessionptrace.tracee.ancestors.user_sessionptrace.tracee.parent.user_sessionptrace.tracee.user_sessionsignal.target.ancestors.user_sessionsignal.target.parent.user_sessionsignal.target.user_session
*.length
Type: int
Definition: Length of the corresponding string
*.length has 79 possible prefixes:
chdir.file.namechdir.file.pathchmod.file.namechmod.file.pathchown.file.namechown.file.pathdns.question.nameexec.file.nameexec.file.pathexec.interpreter.file.nameexec.interpreter.file.pathexit.file.nameexit.file.pathexit.interpreter.file.nameexit.interpreter.file.pathlink.file.destination.namelink.file.destination.pathlink.file.namelink.file.pathload_module.file.nameload_module.file.pathmkdir.file.namemkdir.file.pathmmap.file.namemmap.file.pathopen.file.nameopen.file.pathprocess.ancestors.file.nameprocess.ancestors.file.pathprocess.ancestors.interpreter.file.nameprocess.ancestors.interpreter.file.pathprocess.file.nameprocess.file.pathprocess.interpreter.file.nameprocess.interpreter.file.pathprocess.parent.file.nameprocess.parent.file.pathprocess.parent.interpreter.file.nameprocess.parent.interpreter.file.pathptrace.tracee.ancestors.file.nameptrace.tracee.ancestors.file.pathptrace.tracee.ancestors.interpreter.file.nameptrace.tracee.ancestors.interpreter.file.pathptrace.tracee.file.nameptrace.tracee.file.pathptrace.tracee.interpreter.file.nameptrace.tracee.interpreter.file.pathptrace.tracee.parent.file.nameptrace.tracee.parent.file.pathptrace.tracee.parent.interpreter.file.nameptrace.tracee.parent.interpreter.file.pathremovexattr.file.nameremovexattr.file.pathrename.file.destination.namerename.file.destination.pathrename.file.namerename.file.pathrmdir.file.namermdir.file.pathsetxattr.file.namesetxattr.file.pathsignal.target.ancestors.file.namesignal.target.ancestors.file.pathsignal.target.ancestors.interpreter.file.namesignal.target.ancestors.interpreter.file.pathsignal.target.file.namesignal.target.file.pathsignal.target.interpreter.file.namesignal.target.interpreter.file.pathsignal.target.parent.file.namesignal.target.parent.file.pathsignal.target.parent.interpreter.file.namesignal.target.parent.interpreter.file.pathsplice.file.namesplice.file.pathunlink.file.nameunlink.file.pathutimes.file.nameutimes.file.path
*.mode
Type: int
Definition: Mode of the file
*.mode has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.modification_time has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.mount_id
Type: int
Definition: Mount ID of the file
*.mount_id has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.name
Type: string
Definition: File’s basename
*.name has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
Example:
exec.file.name=="apt"
Matches the execution of any file named apt.
*.package.name
Type: string
Definition: [Experimental] Name of the package that provided this file
*.package.name has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.package.source_version
Type: string
Definition: [Experimental] Full version of the source package of the package that provided this file
*.package.source_version has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.package.version
Type: string
Definition: [Experimental] Full version of the package that provided this file
*.package.version has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.path
Type: string
Definition: File’s path
*.path has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
Example:
exec.file.path=="/usr/bin/apt"
Matches the execution of the file located at /usr/bin/apt
Example:
open.file.path=="/etc/passwd"
Matches any process opening the /etc/passwd file.
*.pid
Type: int
Definition: Process ID of the process (also called thread group ID)
*.pid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.port
Type: int
Definition: Port number
*.port has 3 possible prefixes:
bind.addrnetwork.destinationnetwork.source
*.ppid
Type: int
Definition: Parent process ID
*.ppid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.retval
Type: int
Definition: Return value of the syscall
*.retval has 22 possible prefixes:
bindbpfchdirchmodchownlinkload_modulemkdirmmapmountmprotectopenptraceremovexattrrenamermdirsetxattrsignalspliceunlinkunload_moduleutimes
*.rights has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.tid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.tty_name
Type: string
Definition: Name of the TTY associated with the process
*.tty_name has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.uid
Type: int
Definition: UID of the process
*.uid has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
*.uid
Type: int
Definition: UID of the file’s owner
*.uid has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
*.user
Type: string
Definition: User of the process
*.user has 11 possible prefixes:
execexitprocessprocess.ancestorsprocess.parentptrace.traceeptrace.tracee.ancestorsptrace.tracee.parentsignal.targetsignal.target.ancestorssignal.target.parent
Example:
process.user=="root"
Constrain an event to be triggered by a process running as the root user.
*.user
Type: string
Definition: User of the file’s owner
*.user has 39 possible prefixes:
chdir.filechmod.filechown.fileexec.fileexec.interpreter.fileexit.fileexit.interpreter.filelink.filelink.file.destinationload_module.filemkdir.filemmap.fileopen.fileprocess.ancestors.fileprocess.ancestors.interpreter.fileprocess.fileprocess.interpreter.fileprocess.parent.fileprocess.parent.interpreter.fileptrace.tracee.ancestors.fileptrace.tracee.ancestors.interpreter.fileptrace.tracee.fileptrace.tracee.interpreter.fileptrace.tracee.parent.fileptrace.tracee.parent.interpreter.fileremovexattr.filerename.filerename.file.destinationrmdir.filesetxattr.filesignal.target.ancestors.filesignal.target.ancestors.interpreter.filesignal.target.filesignal.target.interpreter.filesignal.target.parent.filesignal.target.parent.interpreter.filesplice.fileunlink.fileutimes.file
Definition: Name of the kernel module that was deleted
Constants
Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.
BPF attach types
BPF attach types are the supported eBPF program attach types.
Name
Architectures
BPF_CGROUP_INET_INGRESS
all
BPF_CGROUP_INET_EGRESS
all
BPF_CGROUP_INET_SOCK_CREATE
all
BPF_CGROUP_SOCK_OPS
all
BPF_SK_SKB_STREAM_PARSER
all
BPF_SK_SKB_STREAM_VERDICT
all
BPF_CGROUP_DEVICE
all
BPF_SK_MSG_VERDICT
all
BPF_CGROUP_INET4_BIND
all
BPF_CGROUP_INET6_BIND
all
BPF_CGROUP_INET4_CONNECT
all
BPF_CGROUP_INET6_CONNECT
all
BPF_CGROUP_INET4_POST_BIND
all
BPF_CGROUP_INET6_POST_BIND
all
BPF_CGROUP_UDP4_SENDMSG
all
BPF_CGROUP_UDP6_SENDMSG
all
BPF_LIRC_MODE2
all
BPF_FLOW_DISSECTOR
all
BPF_CGROUP_SYSCTL
all
BPF_CGROUP_UDP4_RECVMSG
all
BPF_CGROUP_UDP6_RECVMSG
all
BPF_CGROUP_GETSOCKOPT
all
BPF_CGROUP_SETSOCKOPT
all
BPF_TRACE_RAW_TP
all
BPF_TRACE_FENTRY
all
BPF_TRACE_FEXIT
all
BPF_MODIFY_RETURN
all
BPF_LSM_MAC
all
BPF_TRACE_ITER
all
BPF_CGROUP_INET4_GETPEERNAME
all
BPF_CGROUP_INET6_GETPEERNAME
all
BPF_CGROUP_INET4_GETSOCKNAME
all
BPF_CGROUP_INET6_GETSOCKNAME
all
BPF_XDP_DEVMAP
all
BPF_CGROUP_INET_SOCK_RELEASE
all
BPF_XDP_CPUMAP
all
BPF_SK_LOOKUP
all
BPF_XDP
all
BPF_SK_SKB_VERDICT
all
BPF commands
BPF commands are used to specify a command to a bpf syscall.
Name
Architectures
BPF_MAP_CREATE
all
BPF_MAP_LOOKUP_ELEM
all
BPF_MAP_UPDATE_ELEM
all
BPF_MAP_DELETE_ELEM
all
BPF_MAP_GET_NEXT_KEY
all
BPF_PROG_LOAD
all
BPF_OBJ_PIN
all
BPF_OBJ_GET
all
BPF_PROG_ATTACH
all
BPF_PROG_DETACH
all
BPF_PROG_TEST_RUN
all
BPF_PROG_RUN
all
BPF_PROG_GET_NEXT_ID
all
BPF_MAP_GET_NEXT_ID
all
BPF_PROG_GET_FD_BY_ID
all
BPF_MAP_GET_FD_BY_ID
all
BPF_OBJ_GET_INFO_BY_FD
all
BPF_PROG_QUERY
all
BPF_RAW_TRACEPOINT_OPEN
all
BPF_BTF_LOAD
all
BPF_BTF_GET_FD_BY_ID
all
BPF_TASK_FD_QUERY
all
BPF_MAP_LOOKUP_AND_DELETE_ELEM
all
BPF_MAP_FREEZE
all
BPF_BTF_GET_NEXT_ID
all
BPF_MAP_LOOKUP_BATCH
all
BPF_MAP_LOOKUP_AND_DELETE_BATCH
all
BPF_MAP_UPDATE_BATCH
all
BPF_MAP_DELETE_BATCH
all
BPF_LINK_CREATE
all
BPF_LINK_UPDATE
all
BPF_LINK_GET_FD_BY_ID
all
BPF_LINK_GET_NEXT_ID
all
BPF_ENABLE_STATS
all
BPF_ITER_CREATE
all
BPF_LINK_DETACH
all
BPF_PROG_BIND_MAP
all
BPF helper functions
BPF helper functions are the supported BPF helper functions.
Name
Architectures
BPF_UNSPEC
all
BPF_MAP_LOOKUP_ELEM
all
BPF_MAP_UPDATE_ELEM
all
BPF_MAP_DELETE_ELEM
all
BPF_PROBE_READ
all
BPF_KTIME_GET_NS
all
BPF_TRACE_PRINTK
all
BPF_GET_PRANDOM_U32
all
BPF_GET_SMP_PROCESSOR_ID
all
BPF_SKB_STORE_BYTES
all
BPF_L3_CSUM_REPLACE
all
BPF_L4_CSUM_REPLACE
all
BPF_TAIL_CALL
all
BPF_CLONE_REDIRECT
all
BPF_GET_CURRENT_PID_TGID
all
BPF_GET_CURRENT_UID_GID
all
BPF_GET_CURRENT_COMM
all
BPF_GET_CGROUP_CLASSID
all
BPF_SKB_VLAN_PUSH
all
BPF_SKB_VLAN_POP
all
BPF_SKB_GET_TUNNEL_KEY
all
BPF_SKB_SET_TUNNEL_KEY
all
BPF_PERF_EVENT_READ
all
BPF_REDIRECT
all
BPF_GET_ROUTE_REALM
all
BPF_PERF_EVENT_OUTPUT
all
BPF_SKB_LOAD_BYTES
all
BPF_GET_STACKID
all
BPF_CSUM_DIFF
all
BPF_SKB_GET_TUNNEL_OPT
all
BPF_SKB_SET_TUNNEL_OPT
all
BPF_SKB_CHANGE_PROTO
all
BPF_SKB_CHANGE_TYPE
all
BPF_SKB_UNDER_CGROUP
all
BPF_GET_HASH_RECALC
all
BPF_GET_CURRENT_TASK
all
BPF_PROBE_WRITE_USER
all
BPF_CURRENT_TASK_UNDER_CGROUP
all
BPF_SKB_CHANGE_TAIL
all
BPF_SKB_PULL_DATA
all
BPF_CSUM_UPDATE
all
BPF_SET_HASH_INVALID
all
BPF_GET_NUMA_NODE_ID
all
BPF_SKB_CHANGE_HEAD
all
BPF_XDP_ADJUST_HEAD
all
BPF_PROBE_READ_STR
all
BPF_GET_SOCKET_COOKIE
all
BPF_GET_SOCKET_UID
all
BPF_SET_HASH
all
BPF_SETSOCKOPT
all
BPF_SKB_ADJUST_ROOM
all
BPF_REDIRECT_MAP
all
BPF_SK_REDIRECT_MAP
all
BPF_SOCK_MAP_UPDATE
all
BPF_XDP_ADJUST_META
all
BPF_PERF_EVENT_READ_VALUE
all
BPF_PERF_PROG_READ_VALUE
all
BPF_GETSOCKOPT
all
BPF_OVERRIDE_RETURN
all
BPF_SOCK_OPS_CB_FLAGS_SET
all
BPF_MSG_REDIRECT_MAP
all
BPF_MSG_APPLY_BYTES
all
BPF_MSG_CORK_BYTES
all
BPF_MSG_PULL_DATA
all
BPF_BIND
all
BPF_XDP_ADJUST_TAIL
all
BPF_SKB_GET_XFRM_STATE
all
BPF_GET_STACK
all
BPF_SKB_LOAD_BYTES_RELATIVE
all
BPF_FIB_LOOKUP
all
BPF_SOCK_HASH_UPDATE
all
BPF_MSG_REDIRECT_HASH
all
BPF_SK_REDIRECT_HASH
all
BPF_LWT_PUSH_ENCAP
all
BPF_LWT_SEG6_STORE_BYTES
all
BPF_LWT_SEG6_ADJUST_SRH
all
BPF_LWT_SEG6_ACTION
all
BPF_RC_REPEAT
all
BPF_RC_KEYDOWN
all
BPF_SKB_CGROUP_ID
all
BPF_GET_CURRENT_CGROUP_ID
all
BPF_GET_LOCAL_STORAGE
all
BPF_SK_SELECT_REUSEPORT
all
BPF_SKB_ANCESTOR_CGROUP_ID
all
BPF_SK_LOOKUP_TCP
all
BPF_SK_LOOKUP_UDP
all
BPF_SK_RELEASE
all
BPF_MAP_PUSH_ELEM
all
BPF_MAP_POP_ELEM
all
BPF_MAP_PEEK_ELEM
all
BPF_MSG_PUSH_DATA
all
BPF_MSG_POP_DATA
all
BPF_RC_POINTER_REL
all
BPF_SPIN_LOCK
all
BPF_SPIN_UNLOCK
all
BPF_SK_FULLSOCK
all
BPF_TCP_SOCK
all
BPF_SKB_ECN_SET_CE
all
BPF_GET_LISTENER_SOCK
all
BPF_SKC_LOOKUP_TCP
all
BPF_TCP_CHECK_SYNCOOKIE
all
BPF_SYSCTL_GET_NAME
all
BPF_SYSCTL_GET_CURRENT_VALUE
all
BPF_SYSCTL_GET_NEW_VALUE
all
BPF_SYSCTL_SET_NEW_VALUE
all
BPF_STRTOL
all
BPF_STRTOUL
all
BPF_SK_STORAGE_GET
all
BPF_SK_STORAGE_DELETE
all
BPF_SEND_SIGNAL
all
BPF_TCP_GEN_SYNCOOKIE
all
BPF_SKB_OUTPUT
all
BPF_PROBE_READ_USER
all
BPF_PROBE_READ_KERNEL
all
BPF_PROBE_READ_USER_STR
all
BPF_PROBE_READ_KERNEL_STR
all
BPF_TCP_SEND_ACK
all
BPF_SEND_SIGNAL_THREAD
all
BPF_JIFFIES64
all
BPF_READ_BRANCH_RECORDS
all
BPF_GET_NS_CURRENT_PID_TGID
all
BPF_XDP_OUTPUT
all
BPF_GET_NETNS_COOKIE
all
BPF_GET_CURRENT_ANCESTOR_CGROUP_ID
all
BPF_SK_ASSIGN
all
BPF_KTIME_GET_BOOT_NS
all
BPF_SEQ_PRINTF
all
BPF_SEQ_WRITE
all
BPF_SK_CGROUP_ID
all
BPF_SK_ANCESTOR_CGROUP_ID
all
BPF_RINGBUF_OUTPUT
all
BPF_RINGBUF_RESERVE
all
BPF_RINGBUF_SUBMIT
all
BPF_RINGBUF_DISCARD
all
BPF_RINGBUF_QUERY
all
BPF_CSUM_LEVEL
all
BPF_SKC_TO_TCP6_SOCK
all
BPF_SKC_TO_TCP_SOCK
all
BPF_SKC_TO_TCP_TIMEWAIT_SOCK
all
BPF_SKC_TO_TCP_REQUEST_SOCK
all
BPF_SKC_TO_UDP6_SOCK
all
BPF_GET_TASK_STACK
all
BPF_LOAD_HDR_OPT
all
BPF_STORE_HDR_OPT
all
BPF_RESERVE_HDR_OPT
all
BPF_INODE_STORAGE_GET
all
BPF_INODE_STORAGE_DELETE
all
BPF_D_PATH
all
BPF_COPY_FROM_USER
all
BPF_SNPRINTF_BTF
all
BPF_SEQ_PRINTF_BTF
all
BPF_SKB_CGROUP_CLASSID
all
BPF_REDIRECT_NEIGH
all
BPF_PER_CPU_PTR
all
BPF_THIS_CPU_PTR
all
BPF_REDIRECT_PEER
all
BPF_TASK_STORAGE_GET
all
BPF_TASK_STORAGE_DELETE
all
BPF_GET_CURRENT_TASK_BTF
all
BPF_BPRM_OPTS_SET
all
BPF_KTIME_GET_COARSE_NS
all
BPF_IMA_INODE_HASH
all
BPF_SOCK_FROM_FILE
all
BPF_CHECK_MTU
all
BPF_FOR_EACH_MAP_ELEM
all
BPF_SNPRINTF
all
BPF map types
BPF map types are the supported eBPF map types.
Name
Architectures
BPF_MAP_TYPE_UNSPEC
all
BPF_MAP_TYPE_HASH
all
BPF_MAP_TYPE_ARRAY
all
BPF_MAP_TYPE_PROG_ARRAY
all
BPF_MAP_TYPE_PERF_EVENT_ARRAY
all
BPF_MAP_TYPE_PERCPU_HASH
all
BPF_MAP_TYPE_PERCPU_ARRAY
all
BPF_MAP_TYPE_STACK_TRACE
all
BPF_MAP_TYPE_CGROUP_ARRAY
all
BPF_MAP_TYPE_LRU_HASH
all
BPF_MAP_TYPE_LRU_PERCPU_HASH
all
BPF_MAP_TYPE_LPM_TRIE
all
BPF_MAP_TYPE_ARRAY_OF_MAPS
all
BPF_MAP_TYPE_HASH_OF_MAPS
all
BPF_MAP_TYPE_DEVMAP
all
BPF_MAP_TYPE_SOCKMAP
all
BPF_MAP_TYPE_CPUMAP
all
BPF_MAP_TYPE_XSKMAP
all
BPF_MAP_TYPE_SOCKHASH
all
BPF_MAP_TYPE_CGROUP_STORAGE
all
BPF_MAP_TYPE_REUSEPORT_SOCKARRAY
all
BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE
all
BPF_MAP_TYPE_QUEUE
all
BPF_MAP_TYPE_STACK
all
BPF_MAP_TYPE_SK_STORAGE
all
BPF_MAP_TYPE_DEVMAP_HASH
all
BPF_MAP_TYPE_STRUCT_OPS
all
BPF_MAP_TYPE_RINGBUF
all
BPF_MAP_TYPE_INODE_STORAGE
all
BPF_MAP_TYPE_TASK_STORAGE
all
BPF program types
BPF program types are the supported eBPF program types.
Name
Architectures
BPF_PROG_TYPE_UNSPEC
all
BPF_PROG_TYPE_SOCKET_FILTER
all
BPF_PROG_TYPE_KPROBE
all
BPF_PROG_TYPE_SCHED_CLS
all
BPF_PROG_TYPE_SCHED_ACT
all
BPF_PROG_TYPE_TRACEPOINT
all
BPF_PROG_TYPE_XDP
all
BPF_PROG_TYPE_PERF_EVENT
all
BPF_PROG_TYPE_CGROUP_SKB
all
BPF_PROG_TYPE_CGROUP_SOCK
all
BPF_PROG_TYPE_LWT_IN
all
BPF_PROG_TYPE_LWT_OUT
all
BPF_PROG_TYPE_LWT_XMIT
all
BPF_PROG_TYPE_SOCK_OPS
all
BPF_PROG_TYPE_SK_SKB
all
BPF_PROG_TYPE_CGROUP_DEVICE
all
BPF_PROG_TYPE_SK_MSG
all
BPF_PROG_TYPE_RAW_TRACEPOINT
all
BPF_PROG_TYPE_CGROUP_SOCK_ADDR
all
BPF_PROG_TYPE_LWT_SEG6LOCAL
all
BPF_PROG_TYPE_LIRC_MODE2
all
BPF_PROG_TYPE_SK_REUSEPORT
all
BPF_PROG_TYPE_FLOW_DISSECTOR
all
BPF_PROG_TYPE_CGROUP_SYSCTL
all
BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE
all
BPF_PROG_TYPE_CGROUP_SOCKOPT
all
BPF_PROG_TYPE_TRACING
all
BPF_PROG_TYPE_STRUCT_OPS
all
BPF_PROG_TYPE_EXT
all
BPF_PROG_TYPE_LSM
all
BPF_PROG_TYPE_SK_LOOKUP
all
Boolean constants
Boolean constants are the supported boolean constants.
Name
Architectures
true
all
false
all
DNS qclasses
DNS qclasses are the supported DNS query classes.
Name
Architectures
CLASS_INET
all
CLASS_CSNET
all
CLASS_CHAOS
all
CLASS_HESIOD
all
CLASS_NONE
all
CLASS_ANY
all
DNS qtypes
DNS qtypes are the supported DNS query types.
Name
Architectures
None
all
A
all
NS
all
MD
all
MF
all
CNAME
all
SOA
all
MB
all
MG
all
MR
all
NULL
all
PTR
all
HINFO
all
MINFO
all
MX
all
TXT
all
RP
all
AFSDB
all
X25
all
ISDN
all
RT
all
NSAPPTR
all
SIG
all
KEY
all
PX
all
GPOS
all
AAAA
all
LOC
all
NXT
all
EID
all
NIMLOC
all
SRV
all
ATMA
all
NAPTR
all
KX
all
CERT
all
DNAME
all
OPT
all
APL
all
DS
all
SSHFP
all
RRSIG
all
NSEC
all
DNSKEY
all
DHCID
all
NSEC3
all
NSEC3PARAM
all
TLSA
all
SMIMEA
all
HIP
all
NINFO
all
RKEY
all
TALINK
all
CDS
all
CDNSKEY
all
OPENPGPKEY
all
CSYNC
all
ZONEMD
all
SVCB
all
HTTPS
all
SPF
all
UINFO
all
UID
all
GID
all
UNSPEC
all
NID
all
L32
all
L64
all
LP
all
EUI48
all
EUI64
all
URI
all
CAA
all
AVC
all
TKEY
all
TSIG
all
IXFR
all
AXFR
all
MAILB
all
MAILA
all
ANY
all
TA
all
DLV
all
Reserved
all
Error constants
Error constants are the supported error constants.
Name
Architectures
E2BIG
all
EACCES
all
EADDRINUSE
all
EADDRNOTAVAIL
all
EADV
all
EAFNOSUPPORT
all
EAGAIN
all
EALREADY
all
EBADE
all
EBADF
all
EBADFD
all
EBADMSG
all
EBADR
all
EBADRQC
all
EBADSLT
all
EBFONT
all
EBUSY
all
ECANCELED
all
ECHILD
all
ECHRNG
all
ECOMM
all
ECONNABORTED
all
ECONNREFUSED
all
ECONNRESET
all
EDEADLK
all
EDEADLOCK
all
EDESTADDRREQ
all
EDOM
all
EDOTDOT
all
EDQUOT
all
EEXIST
all
EFAULT
all
EFBIG
all
EHOSTDOWN
all
EHOSTUNREACH
all
EIDRM
all
EILSEQ
all
EINPROGRESS
all
EINTR
all
EINVAL
all
EIO
all
EISCONN
all
EISDIR
all
EISNAM
all
EKEYEXPIRED
all
EKEYREJECTED
all
EKEYREVOKED
all
EL2HLT
all
EL2NSYNC
all
EL3HLT
all
EL3RST
all
ELIBACC
all
ELIBBAD
all
ELIBEXEC
all
ELIBMAX
all
ELIBSCN
all
ELNRNG
all
ELOOP
all
EMEDIUMTYPE
all
EMFILE
all
EMLINK
all
EMSGSIZE
all
EMULTIHOP
all
ENAMETOOLONG
all
ENAVAIL
all
ENETDOWN
all
ENETRESET
all
ENETUNREACH
all
ENFILE
all
ENOANO
all
ENOBUFS
all
ENOCSI
all
ENODATA
all
ENODEV
all
ENOENT
all
ENOEXEC
all
ENOKEY
all
ENOLCK
all
ENOLINK
all
ENOMEDIUM
all
ENOMEM
all
ENOMSG
all
ENONET
all
ENOPKG
all
ENOPROTOOPT
all
ENOSPC
all
ENOSR
all
ENOSTR
all
ENOSYS
all
ENOTBLK
all
ENOTCONN
all
ENOTDIR
all
ENOTEMPTY
all
ENOTNAM
all
ENOTRECOVERABLE
all
ENOTSOCK
all
ENOTSUP
all
ENOTTY
all
ENOTUNIQ
all
ENXIO
all
EOPNOTSUPP
all
EOVERFLOW
all
EOWNERDEAD
all
EPERM
all
EPFNOSUPPORT
all
EPIPE
all
EPROTO
all
EPROTONOSUPPORT
all
EPROTOTYPE
all
ERANGE
all
EREMCHG
all
EREMOTE
all
EREMOTEIO
all
ERESTART
all
ERFKILL
all
EROFS
all
ESHUTDOWN
all
ESOCKTNOSUPPORT
all
ESPIPE
all
ESRCH
all
ESRMNT
all
ESTALE
all
ESTRPIPE
all
ETIME
all
ETIMEDOUT
all
ETOOMANYREFS
all
ETXTBSY
all
EUCLEAN
all
EUNATCH
all
EUSERS
all
EWOULDBLOCK
all
EXDEV
all
EXFULL
all
File mode constants
File mode constants are the supported file permissions as well as constants for the set-user-ID, set-group-ID, and sticky bits.
Name
Architectures
S_ISUID
all
S_ISGID
all
S_ISVTX
all
S_IRWXU
all
S_IRUSR
all
S_IWUSR
all
S_IXUSR
all
S_IRWXG
all
S_IRGRP
all
S_IWGRP
all
S_IXGRP
all
S_IRWXO
all
S_IROTH
all
S_IWOTH
all
S_IXOTH
all
Inode mode constants
Inode mode constants are the supported file type constants as well as the file mode constants.
Name
Architectures
S_IFMT
all
S_IFSOCK
all
S_IFLNK
all
S_IFREG
all
S_IFBLK
all
S_IFDIR
all
S_IFCHR
all
S_IFIFO
all
S_ISUID
all
S_ISGID
all
S_ISVTX
all
S_IRWXU
all
S_IRUSR
all
S_IWUSR
all
S_IXUSR
all
S_IRWXG
all
S_IRGRP
all
S_IWGRP
all
S_IXGRP
all
S_IRWXO
all
S_IROTH
all
S_IWOTH
all
S_IXOTH
all
Kernel Capability constants
Kernel Capability constants are the supported Linux Kernel Capability.
Name
Architectures
CAP_AUDIT_CONTROL
all
CAP_AUDIT_READ
all
CAP_AUDIT_WRITE
all
CAP_BLOCK_SUSPEND
all
CAP_BPF
all
CAP_CHECKPOINT_RESTORE
all
CAP_CHOWN
all
CAP_DAC_OVERRIDE
all
CAP_DAC_READ_SEARCH
all
CAP_FOWNER
all
CAP_FSETID
all
CAP_IPC_LOCK
all
CAP_IPC_OWNER
all
CAP_KILL
all
CAP_LEASE
all
CAP_LINUX_IMMUTABLE
all
CAP_MAC_ADMIN
all
CAP_MAC_OVERRIDE
all
CAP_MKNOD
all
CAP_NET_ADMIN
all
CAP_NET_BIND_SERVICE
all
CAP_NET_BROADCAST
all
CAP_NET_RAW
all
CAP_PERFMON
all
CAP_SETFCAP
all
CAP_SETGID
all
CAP_SETPCAP
all
CAP_SETUID
all
CAP_SYSLOG
all
CAP_SYS_ADMIN
all
CAP_SYS_BOOT
all
CAP_SYS_CHROOT
all
CAP_SYS_MODULE
all
CAP_SYS_NICE
all
CAP_SYS_PACCT
all
CAP_SYS_PTRACE
all
CAP_SYS_RAWIO
all
CAP_SYS_RESOURCE
all
CAP_SYS_TIME
all
CAP_SYS_TTY_CONFIG
all
CAP_WAKE_ALARM
all
L3 protocols
L3 protocols are the supported Layer 3 protocols.
Name
Architectures
ETH_P_LOOP
all
ETH_P_PUP
all
ETH_P_PUPAT
all
ETH_P_TSN
all
ETH_P_IP
all
ETH_P_X25
all
ETH_P_ARP
all
ETH_P_BPQ
all
ETH_P_IEEEPUP
all
ETH_P_IEEEPUPAT
all
ETH_P_BATMAN
all
ETH_P_DEC
all
ETH_P_DNADL
all
ETH_P_DNARC
all
ETH_P_DNART
all
ETH_P_LAT
all
ETH_P_DIAG
all
ETH_P_CUST
all
ETH_P_SCA
all
ETH_P_TEB
all
ETH_P_RARP
all
ETH_P_ATALK
all
ETH_P_AARP
all
ETH_P_8021_Q
all
ETH_P_ERSPAN
all
ETH_P_IPX
all
ETH_P_IPV6
all
ETH_P_PAUSE
all
ETH_P_SLOW
all
ETH_P_WCCP
all
ETH_P_MPLSUC
all
ETH_P_MPLSMC
all
ETH_P_ATMMPOA
all
ETH_P_PPPDISC
all
ETH_P_PPPSES
all
ETH_P__LINK_CTL
all
ETH_P_ATMFATE
all
ETH_P_PAE
all
ETH_P_AOE
all
ETH_P_8021_AD
all
ETH_P_802_EX1
all
ETH_P_TIPC
all
ETH_P_MACSEC
all
ETH_P_8021_AH
all
ETH_P_MVRP
all
ETH_P_1588
all
ETH_P_NCSI
all
ETH_P_PRP
all
ETH_P_FCOE
all
ETH_P_IBOE
all
ETH_P_TDLS
all
ETH_P_FIP
all
ETH_P_80221
all
ETH_P_HSR
all
ETH_P_NSH
all
ETH_P_LOOPBACK
all
ETH_P_QINQ1
all
ETH_P_QINQ2
all
ETH_P_QINQ3
all
ETH_P_EDSA
all
ETH_P_IFE
all
ETH_P_AFIUCV
all
ETH_P_8023_MIN
all
ETH_P_IPV6_HOP_BY_HOP
all
ETH_P_8023
all
ETH_P_AX25
all
ETH_P_ALL
all
ETH_P_8022
all
ETH_P_SNAP
all
ETH_P_DDCMP
all
ETH_P_WANPPP
all
ETH_P_PPPMP
all
ETH_P_LOCALTALK
all
ETH_P_CAN
all
ETH_P_CANFD
all
ETH_P_PPPTALK
all
ETH_P_TR8022
all
ETH_P_MOBITEX
all
ETH_P_CONTROL
all
ETH_P_IRDA
all
ETH_P_ECONET
all
ETH_P_HDLC
all
ETH_P_ARCNET
all
ETH_P_DSA
all
ETH_P_TRAILER
all
ETH_P_PHONET
all
ETH_P_IEEE802154
all
ETH_P_CAIF
all
ETH_P_XDSA
all
ETH_P_MAP
all
L4 protocols
L4 protocols are the supported Layer 4 protocols.
Name
Architectures
IP_PROTO_IP
all
IP_PROTO_ICMP
all
IP_PROTO_IGMP
all
IP_PROTO_IPIP
all
IP_PROTO_TCP
all
IP_PROTO_EGP
all
IP_PROTO_IGP
all
IP_PROTO_PUP
all
IP_PROTO_UDP
all
IP_PROTO_IDP
all
IP_PROTO_TP
all
IP_PROTO_DCCP
all
IP_PROTO_IPV6
all
IP_PROTO_RSVP
all
IP_PROTO_GRE
all
IP_PROTO_ESP
all
IP_PROTO_AH
all
IP_PROTO_ICMPV6
all
IP_PROTO_MTP
all
IP_PROTO_BEETPH
all
IP_PROTO_ENCAP
all
IP_PROTO_PIM
all
IP_PROTO_COMP
all
IP_PROTO_SCTP
all
IP_PROTO_UDPLITE
all
IP_PROTO_MPLS
all
IP_PROTO_RAW
all
MMap flags
MMap flags are the supported flags for the mmap syscall.
Name
Architectures
MAP_SHARED
all
MAP_PRIVATE
all
MAP_SHARED_VALIDATE
all
MAP_ANON
all
MAP_ANONYMOUS
all
MAP_DENYWRITE
all
MAP_EXECUTABLE
all
MAP_FIXED
all
MAP_FIXED_NOREPLACE
all
MAP_GROWSDOWN
all
MAP_HUGETLB
all
MAP_LOCKED
all
MAP_NONBLOCK
all
MAP_NORESERVE
all
MAP_POPULATE
all
MAP_STACK
all
MAP_SYNC
all
MAP_UNINITIALIZED
all
MAP_HUGE_16KB
all
MAP_HUGE_64KB
all
MAP_HUGE_512KB
all
MAP_HUGE_1MB
all
MAP_HUGE_2MB
all
MAP_HUGE_8MB
all
MAP_HUGE_16MB
all
MAP_HUGE_32MB
all
MAP_HUGE_256MB
all
MAP_HUGE_512MB
all
MAP_HUGE_1GB
all
MAP_HUGE_2GB
all
MAP_HUGE_16GB
all
MAP_32BIT
amd64
Network Address Family constants
Network Address Family constants are the supported network address families.
Name
Architectures
AF_UNSPEC
all
AF_LOCAL
all
AF_UNIX
all
AF_FILE
all
AF_INET
all
AF_AX25
all
AF_IPX
all
AF_APPLETALK
all
AF_NETROM
all
AF_BRIDGE
all
AF_ATMPVC
all
AF_X25
all
AF_INET6
all
AF_ROSE
all
AF_DECnet
all
AF_NETBEUI
all
AF_SECURITY
all
AF_KEY
all
AF_NETLINK
all
AF_ROUTE
all
AF_PACKET
all
AF_ASH
all
AF_ECONET
all
AF_ATMSVC
all
AF_RDS
all
AF_SNA
all
AF_IRDA
all
AF_PPPOX
all
AF_WANPIPE
all
AF_LLC
all
AF_IB
all
AF_MPLS
all
AF_CAN
all
AF_TIPC
all
AF_BLUETOOTH
all
AF_IUCV
all
AF_RXRPC
all
AF_ISDN
all
AF_PHONET
all
AF_IEEE802154
all
AF_CAIF
all
AF_ALG
all
AF_NFC
all
AF_VSOCK
all
AF_KCM
all
AF_QIPCRTR
all
AF_SMC
all
AF_XDP
all
AF_MAX
all
Open flags
Open flags are the supported flags for the open syscall.
Name
Architectures
O_RDONLY
all
O_WRONLY
all
O_RDWR
all
O_APPEND
all
O_CREAT
all
O_EXCL
all
O_SYNC
all
O_TRUNC
all
O_ACCMODE
all
O_ASYNC
all
O_CLOEXEC
all
O_DIRECT
all
O_DIRECTORY
all
O_DSYNC
all
O_FSYNC
all
O_NDELAY
all
O_NOATIME
all
O_NOCTTY
all
O_NOFOLLOW
all
O_NONBLOCK
all
O_RSYNC
all
Pipe buffer flags
Pipe buffer flags are the supported flags for a pipe buffer.
Name
Architectures
PIPE_BUF_FLAG_LRU
all
PIPE_BUF_FLAG_ATOMIC
all
PIPE_BUF_FLAG_GIFT
all
PIPE_BUF_FLAG_PACKET
all
PIPE_BUF_FLAG_CAN_MERGE
all
PIPE_BUF_FLAG_WHOLE
all
PIPE_BUF_FLAG_LOSS
all
Protection constants
Protection constants are the supported protections for the mmap syscall.
Name
Architectures
PROT_NONE
all
PROT_READ
all
PROT_WRITE
all
PROT_EXEC
all
PROT_GROWSDOWN
all
PROT_GROWSUP
all
Ptrace constants
Ptrace constants are the supported ptrace commands for the ptrace syscall.
Name
Architectures
PTRACE_TRACEME
all
PTRACE_PEEKTEXT
all
PTRACE_PEEKDATA
all
PTRACE_PEEKUSR
all
PTRACE_POKETEXT
all
PTRACE_POKEDATA
all
PTRACE_POKEUSR
all
PTRACE_CONT
all
PTRACE_KILL
all
PTRACE_SINGLESTEP
all
PTRACE_ATTACH
all
PTRACE_DETACH
all
PTRACE_SYSCALL
all
PTRACE_SETOPTIONS
all
PTRACE_GETEVENTMSG
all
PTRACE_GETSIGINFO
all
PTRACE_SETSIGINFO
all
PTRACE_GETREGSET
all
PTRACE_SETREGSET
all
PTRACE_SEIZE
all
PTRACE_INTERRUPT
all
PTRACE_LISTEN
all
PTRACE_PEEKSIGINFO
all
PTRACE_GETSIGMASK
all
PTRACE_SETSIGMASK
all
PTRACE_SECCOMP_GET_FILTER
all
PTRACE_SECCOMP_GET_METADATA
all
PTRACE_GET_SYSCALL_INFO
all
PTRACE_GETFPREGS
amd64, arm
PTRACE_SETFPREGS
amd64, arm
PTRACE_GETFPXREGS
amd64
PTRACE_SETFPXREGS
amd64
PTRACE_OLDSETOPTIONS
amd64, arm
PTRACE_GET_THREAD_AREA
amd64, arm
PTRACE_SET_THREAD_AREA
amd64
PTRACE_ARCH_PRCTL
amd64
PTRACE_SYSEMU
amd64, arm64
PTRACE_SYSEMU_SINGLESTEP
amd64, arm64
PTRACE_SINGLEBLOCK
amd64
PTRACE_GETCRUNCHREGS
arm
PTRACE_GETFDPIC
arm
PTRACE_GETFDPIC_EXEC
arm
PTRACE_GETFDPIC_INTERP
arm
PTRACE_GETHBPREGS
arm
PTRACE_GETVFPREGS
arm
PTRACE_GETWMMXREGS
arm
PTRACE_SETCRUNCHREGS
arm
PTRACE_SETHBPREGS
arm
PTRACE_SETVFPREGS
arm
PTRACE_SETWMMXREGS
arm
PTRACE_SET_SYSCALL
arm
PTRACE_PEEKMTETAGS
arm64
PTRACE_POKEMTETAGS
arm64
Signal constants
Signal constants are the supported signals for the kill syscall.
Name
Architectures
SIGHUP
all
SIGINT
all
SIGQUIT
all
SIGILL
all
SIGTRAP
all
SIGABRT
all
SIGIOT
all
SIGBUS
all
SIGFPE
all
SIGKILL
all
SIGUSR1
all
SIGSEGV
all
SIGUSR2
all
SIGPIPE
all
SIGALRM
all
SIGTERM
all
SIGSTKFLT
all
SIGCHLD
all
SIGCONT
all
SIGSTOP
all
SIGTSTP
all
SIGTTIN
all
SIGTTOU
all
SIGURG
all
SIGXCPU
all
SIGXFSZ
all
SIGVTALRM
all
SIGPROF
all
SIGWINCH
all
SIGIO
all
SIGPOLL
all
SIGPWR
all
SIGSYS
all
Unlink flags
Unlink flags are the supported flags for the unlink syscall.
Name
Architectures
AT_REMOVEDIR
all
Virtual Memory flags
Virtual Memory flags define the protection of a virtual memory segment.
Name
Architectures
VM_NONE
all
VM_READ
all
VM_WRITE
all
VM_EXEC
all
VM_SHARED
all
VM_MAYREAD
all
VM_MAYWRITE
all
VM_MAYEXEC
all
VM_MAYSHARE
all
VM_GROWSDOWN
all
VM_UFFD_MISSING
all
VM_PFNMAP
all
VM_UFFD_WP
all
VM_LOCKED
all
VM_IO
all
VM_SEQ_READ
all
VM_RAND_READ
all
VM_DONTCOPY
all
VM_DONTEXPAND
all
VM_LOCKONFAULT
all
VM_ACCOUNT
all
VM_NORESERVE
all
VM_HUGETLB
all
VM_SYNC
all
VM_ARCH_1
all
VM_WIPEONFORK
all
VM_DONTDUMP
all
VM_SOFTDIRTY
all
VM_MIXEDMAP
all
VM_HUGEPAGE
all
VM_NOHUGEPAGE
all
VM_MERGEABLE
all
Additional helpful documentation, links, and articles:
