https://v0-43--falcosecurity.netlify.app/docs/reference/rules/Recent content in Falco Rules on FalcoHugo -- gohugo.ioenhttps://v0-43--falcosecurity.netlify.app/docs/reference/rules/rule-fields/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/reference/rules/rule-fields/ <p>A Falco rule can contain the following keys:</p> <table> <thead> <tr> <th style="text-align: left">Key</th> <th style="text-align: center">Required</th> <th style="text-align: left">Description</th> <th style="text-align: center">Default</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>rule</code></td> <td style="text-align: center">yes</td> <td style="text-align: left">A short, unique name for the rule.</td> <td></td> </tr> <tr> <td style="text-align: left"><code>condition</code></td> <td style="text-align: center">yes</td> <td style="text-align: left">A filtering expression that is applied against events to check whether they match the rule.</td> <td></td> </tr> <tr> <td style="text-align: left"><code>desc</code></td> <td style="text-align: center">yes</td> <td style="text-align: left">A longer description of what the rule detects.</td> <td></td> </tr> <tr> <td style="text-align: left"><code>output</code></td> <td style="text-align: center">yes</td> <td style="text-align: left">Specifies the message that should be output if a matching event occurs. See <a href="https://v0-43--falcosecurity.netlify.app/docs/rules/basic-elements/#output">output</a>.</td> <td></td> </tr> <tr> <td style="text-align: left"><code>priority</code></td> <td style="text-align: center">yes</td> <td style="text-align: left">A case-insensitive representation of the severity of the event. Should be one of the following: <code>emergency</code>, <code>alert</code>, <code>critical</code>, <code>error</code>, <code>warning</code>, <code>notice</code>, <code>informational</code>, <code>debug</code>.</td> <td></td> </tr> <tr> <td style="text-align: left"><code>exceptions</code></td> <td style="text-align: center">no</td> <td style="text-align: left">A set of <a href="https://v0-43--falcosecurity.netlify.app/docs/rules/exceptions/">exceptions</a> that cause the rule to not generate an alert.</td> <td></td> </tr> <tr> <td style="text-align: left"><code>enabled</code></td> <td style="text-align: center">no</td> <td style="text-align: left">If set to <code>false</code>, a rule is neither loaded nor matched against any events.</td> <td style="text-align: center"><code>true</code></td> </tr> <tr> <td style="text-align: left"><code>tags</code></td> <td style="text-align: center">no</td> <td style="text-align: left">A list of tags applied to the rule (more on this <a href="https://v0-43--falcosecurity.netlify.app/docs/rules/controlling-rules/#tags">below</a>).</td> <td></td> </tr> <tr> <td style="text-align: left"><code>warn_evttypes</code></td> <td style="text-align: center">no</td> <td style="text-align: left">If set to <code>false</code>, Falco suppresses warnings related to a rule not having an event type (more on this <a href="https://v0-43--falcosecurity.netlify.app/docs/rules/style-guide/#condition-syntax">below</a>).</td> <td style="text-align: center"><code>true</code></td> </tr> <tr> <td style="text-align: left"><code>skip-if-unknown-filter</code></td> <td style="text-align: center">no</td> <td style="text-align: left">If set to <code>true</code>, if a rule conditions contains a filtercheck, e.g. <code>fd.some_new_field</code>, that is not known to this version of Falco, Falco silently accepts the rule but does not execute it; if set to <code>false</code>, Falco reports an error and exists when finding an unknown filtercheck.</td> <td style="text-align: center"><code>false</code></td> </tr> <tr> <td style="text-align: left"><code>source</code></td> <td style="text-align: center">no</td> <td style="text-align: left">The event source for which this rule should be evaluated. Typical values are <code>syscall</code>, <code>k8s_audit</code>, or the source advertised by a source <a href="https://v0-43--falcosecurity.netlify.app/docs/plugins/">plugin</a>.</td> <td style="text-align: center"><code>syscall</code></td> </tr> <tr> <td style="text-align: left"><code>append</code></td> <td style="text-align: center">no</td> <td style="text-align: left">When set to <code>true</code>, it adds conditions and/or exceptions to a previously defined rule or macro instead of overseeding it. Not used when the goal is just to enable an already existing rule. In case of appending to a list, it adds new elements to it.</td> <td></td> </tr> </tbody> </table>https://v0-43--falcosecurity.netlify.app/docs/reference/rules/default-macros/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/reference/rules/default-macros/ <p>The default Falco rule set defines a number of macros that makes it easier to start writing rules. These macros provide shortcuts for a number of common scenarios and can be used in any user defined rule sets.</p> <p>Falco also provide Macros that should be overridden. Refer <a href="https://v0-43--falcosecurity.netlify.app/docs/reference/rules/macros-override/">here</a> for further information.</p> <h3 id="file-opened-for-writing">File Opened for Writing</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>open_write<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar=&#39;f&#39; and fd.num&gt;=0<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="file-opened-for-reading">File Opened for Reading</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>open_read<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar=&#39;f&#39; and fd.num&gt;=0<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="never-true">Never True</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>never_true<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(evt.num=0)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="always-true">Always True</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>always_true<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(evt.num=&gt;0)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="proc-name-is-set">Proc Name is Set</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>proc_name_exists<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(proc.name!=&#34;&lt;NA&gt;&#34;)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="file-system-object-renamed">File System Object Renamed</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>rename<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>evt.type in (rename, renameat)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="new-directory-created">New Directory Created</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>mkdir<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>evt.type = mkdir<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="file-system-object-removed">File System Object Removed</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>remove<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>evt.type in (rmdir, unlink, unlinkat)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="file-system-object-modified">File System Object Modified</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>modify<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>rename or remove<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="new-process-spawned">New Process Spawned</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>spawned_process<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(evt.type in (execve, execveat))<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="common-directories-for-binaries">Common Directories for Binaries</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>bin_dir<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="shell-is-started">Shell is Started</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>shell_procs<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(proc.name in (shell_binaries))<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="known-sensitive-files">Known Sensitive Files</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>sensitive_files<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>&gt;<span style="color:#b44;font-style:italic"> </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> fd.name startswith /etc and </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (fd.name in (sensitive_file_names) </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> or fd.directory in (/etc/sudoers.d, /etc/pam.d))</span><span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="newly-created-process">Newly Created Process</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>proc_is_new<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>proc.duration &lt;= 5000000000<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="inbound-network-connections">Inbound Network Connections</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>inbound<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>&gt;<span style="color:#b44;font-style:italic"> </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> ((evt.type in (accept,listen)) or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (fd.typechar = 4 or fd.typechar = 6) and </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (fd.ip != &#34;0.0.0.0&#34; and fd.net != &#34;127.0.0.0/8&#34;) and (evt.rawres &gt;= 0 or evt.res = EINPROGRESS))</span><span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="outbound-network-connections">Outbound Network Connections</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>outbound<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>&gt;<span style="color:#b44;font-style:italic"> </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> ((evt.type = connect) or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (fd.typechar = 4 or fd.typechar = 6) and </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (fd.ip != &#34;0.0.0.0&#34; and fd.net != &#34;127.0.0.0/8&#34;) and (evt.rawres &gt;= 0 or evt.res = EINPROGRESS))</span><span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="inbound-or-outbound-network-connections">Inbound or Outbound Network Connections</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>inbound_outbound<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>&gt;<span style="color:#b44;font-style:italic"> </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> ((evt.type in (accept,listen,connect)) or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (fd.typechar = 4 or fd.typechar = 6) and </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (fd.ip != &#34;0.0.0.0&#34; and fd.net != &#34;127.0.0.0/8&#34;) and (evt.rawres &gt;= 0 or evt.res = EINPROGRESS))</span><span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="object-is-a-container">Object is a Container</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>container<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>container.id != host<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="interactive-process-spawned">Interactive Process Spawned</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>interactive<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>&gt;<span style="color:#b44;font-style:italic"> </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> ((proc.aname=sshd and proc.name != sshd) or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> proc.name=systemd-logind or proc.name=login)</span><span style="color:#bbb"> </span></span></span></code></pre></div>https://v0-43--falcosecurity.netlify.app/docs/reference/rules/macros-override/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/reference/rules/macros-override/ <p>Falco also provide Macros that should be overridden by the user to provide settings that are specific to a user's environment. The provided Macros can also be appended to in a local rules file.</p> <p>The below macros contain values that can be overridden for a user's specific environment.</p> <h3 id="common-ssh-port">Common SSH Port</h3> <p>Override this macro to reflect ports in your environment that provide SSH services.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>ssh_port<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>fd.sport=22<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="allowed-ssh-hosts">Allowed SSH Hosts</h3> <p>Override this macro to reflect hosts that can connect to known SSH ports (ie a bastion or jump box).</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>allowed_ssh_hosts<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>ssh_port<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="user-trusted-containers">User Trusted Containers</h3> <p>Allowlist containers that are allowed to run in privileged mode.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>user_trusted_containers<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(container.image startswith sysdig/agent)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="containers-allowed-to-spawn-shells">Containers Allowed to Spawn Shells</h3> <p>Allowlist containers that are allowed to spawn shells, which may be needed if containers are used in the CI/CD pipeline.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>user_shell_container_exclusions<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(never_true)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="containers-allowed-to-communicate-with-ec2-metadata-services">Containers Allowed to Communicate with EC2 Metadata Services</h3> <p>Allowlist containers that are allowed to communicate with the EC2 metadata service. Default: any container.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>ec2_metadata_containers<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>container<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="kubernetes-api-server">Kubernetes API Server</h3> <p>Set the IP of your Kubernetes API Service here.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>k8s_api_server<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(fd.sip=&#34;1.2.3.4&#34; and fd.sport=8080)<span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="containers-allowed-to-communicate-with-the-kubernetes-api">Containers Allowed to Communicate with the Kubernetes API</h3> <p>Allowlist containers that are allowed to communicate with the Kubernetes API Service. Requires k8s_api_server being set.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>k8s_containers<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>&gt;<span style="color:#b44;font-style:italic"> </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (container.image startswith gcr.io/google_containers/hyperkube-amd64 or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> container.image startswith gcr.io/google_containers/kube2sky or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> container.image startswith sysdig/agent or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> container.image startswith sysdig/falco or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> container.image startswith sysdig/sysdig)</span><span style="color:#bbb"> </span></span></span></code></pre></div> <h3 id="containers-allowed-to-communicate-with-kubernetes-service-nodeports">Containers Allowed to Communicate with Kubernetes Service NodePorts</h3> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>nodeport_containers<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>container<span style="color:#bbb"> </span></span></span></code></pre></div>https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-events/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-events/ <p>Here are the system call event types and args supported by the <a href="https://v0-43--falcosecurity.netlify.app/docs/concepts/event-sources/kernel/">kernel module and eBPF probes</a> via <code>libscap</code> included in the Falco libs. Note that, for performance reasons, by default Falco will only consider a subset of them indicated in the table below with &quot;yes&quot;. However, it's possible to make Falco consider all events by using the <code>-A</code> command line switch.</p> <p>Note that several event types exist:</p> <ul> <li><a href="https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-events/#syscall-events">Syscall events</a> correspond to Linux system calls. Most of them have parameters, documented below, while some are detected as generic and they only offer the syscall ID.</li> <li><a href="https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-events/#tracepoint-events">Tracepoint events</a> represent internal kernel events that may be significant but don't directly translate to any syscall.</li> <li><a href="https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-events/#metaevents">Metaevents</a> are generated from supplementary data sources, for instance, during data enrichment procedures or when the need for asynchronous actions arises. This group also encompasses some of Falco's internally produced events (such as the <code>drop</code> event) that are unavailable for rules.</li> <li><a href="https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-events/#plugin-events">Plugin events</a> act as an envelope for actual plugin event data. In order to write rules that use plugins use the fields documented in the individual plugin.</li> </ul> <!-- generated with: falco --list-events --markdown --> <p>The events below are valid for Falco <em>Schema Version</em>: 4.1.0</p> <h2 id="syscall-events">Syscall events</h2> <table> <thead> <tr> <th style="text-align: left">Default</th> <th style="text-align: left">Dir</th> <th style="text-align: left">Name</th> <th style="text-align: left">Params</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>open</code></td> <td style="text-align: left">FSPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, UINT32 <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>open</code></td> <td style="text-align: left">FD <strong>fd</strong>, FSPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, UINT32 <strong>mode</strong>, UINT32 <strong>dev</strong>, UINT64 <strong>ino</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>close</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>read</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>write</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>socket</code></td> <td style="text-align: left">FD <strong>fd</strong>, ENUMFLAGS32 <strong>domain</strong>: <em>AF_NFC</em>, <em>AF_ALG</em>, <em>AF_CAIF</em>, <em>AF_IEEE802154</em>, <em>AF_PHONET</em>, <em>AF_ISDN</em>, <em>AF_RXRPC</em>, <em>AF_IUCV</em>, <em>AF_BLUETOOTH</em>, <em>AF_TIPC</em>, <em>AF_CAN</em>, <em>AF_LLC</em>, <em>AF_WANPIPE</em>, <em>AF_PPPOX</em>, <em>AF_IRDA</em>, <em>AF_SNA</em>, <em>AF_RDS</em>, <em>AF_ATMSVC</em>, <em>AF_ECONET</em>, <em>AF_ASH</em>, <em>AF_PACKET</em>, <em>AF_ROUTE</em>, <em>AF_NETLINK</em>, <em>AF_KEY</em>, <em>AF_SECURITY</em>, <em>AF_NETBEUI</em>, <em>AF_DECnet</em>, <em>AF_ROSE</em>, <em>AF_INET6</em>, <em>AF_X25</em>, <em>AF_ATMPVC</em>, <em>AF_BRIDGE</em>, <em>AF_NETROM</em>, <em>AF_APPLETALK</em>, <em>AF_IPX</em>, <em>AF_AX25</em>, <em>AF_INET</em>, <em>AF_LOCAL</em>, <em>AF_UNIX</em>, <em>AF_UNSPEC</em>, UINT32 <strong>type</strong>, UINT32 <strong>proto</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>bind</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, SOCKADDR <strong>addr</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>connect</code></td> <td style="text-align: left">FD <strong>fd</strong>, SOCKADDR <strong>addr</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>connect</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, SOCKTUPLE <strong>tuple</strong>, FD <strong>fd</strong>, SOCKADDR <strong>addr</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>listen</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, INT32 <strong>backlog</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>send</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, SOCKTUPLE <strong>tuple</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sendto</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, SOCKTUPLE <strong>tuple</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>recv</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, SOCKTUPLE <strong>tuple</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>recvfrom</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, SOCKTUPLE <strong>tuple</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>shutdown</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, ENUMFLAGS8 <strong>how</strong>: <em>SHUT_UNKNOWN</em>, <em>SHUT_RDWR</em>, <em>SHUT_WR</em>, <em>SHUT_RD</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getsockname</code></td> <td></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getpeername</code></td> <td></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>socketpair</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd1</strong>, FD <strong>fd2</strong>, UINT64 <strong>source</strong>, UINT64 <strong>peer</strong>, ENUMFLAGS32 <strong>domain</strong>: <em>AF_NFC</em>, <em>AF_ALG</em>, <em>AF_CAIF</em>, <em>AF_IEEE802154</em>, <em>AF_PHONET</em>, <em>AF_ISDN</em>, <em>AF_RXRPC</em>, <em>AF_IUCV</em>, <em>AF_BLUETOOTH</em>, <em>AF_TIPC</em>, <em>AF_CAN</em>, <em>AF_LLC</em>, <em>AF_WANPIPE</em>, <em>AF_PPPOX</em>, <em>AF_IRDA</em>, <em>AF_SNA</em>, <em>AF_RDS</em>, <em>AF_ATMSVC</em>, <em>AF_ECONET</em>, <em>AF_ASH</em>, <em>AF_PACKET</em>, <em>AF_ROUTE</em>, <em>AF_NETLINK</em>, <em>AF_KEY</em>, <em>AF_SECURITY</em>, <em>AF_NETBEUI</em>, <em>AF_DECnet</em>, <em>AF_ROSE</em>, <em>AF_INET6</em>, <em>AF_X25</em>, <em>AF_ATMPVC</em>, <em>AF_BRIDGE</em>, <em>AF_NETROM</em>, <em>AF_APPLETALK</em>, <em>AF_IPX</em>, <em>AF_AX25</em>, <em>AF_INET</em>, <em>AF_LOCAL</em>, <em>AF_UNIX</em>, <em>AF_UNSPEC</em>, UINT32 <strong>type</strong>, UINT32 <strong>proto</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setsockopt</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, ENUMFLAGS8 <strong>level</strong>: <em>SOL_SOCKET</em>, <em>SOL_TCP</em>, <em>UNKNOWN</em>, ENUMFLAGS8 <strong>optname</strong>: <em>SO_COOKIE</em>, <em>SO_MEMINFO</em>, <em>SO_PEERGROUPS</em>, <em>SO_ATTACH_BPF</em>, <em>SO_INCOMING_CPU</em>, <em>SO_BPF_EXTENSIONS</em>, <em>SO_MAX_PACING_RATE</em>, <em>SO_BUSY_POLL</em>, <em>SO_SELECT_ERR_QUEUE</em>, <em>SO_LOCK_FILTER</em>, <em>SO_NOFCS</em>, <em>SO_PEEK_OFF</em>, <em>SO_WIFI_STATUS</em>, <em>SO_RXQ_OVFL</em>, <em>SO_DOMAIN</em>, <em>SO_PROTOCOL</em>, <em>SO_TIMESTAMPING</em>, <em>SO_MARK</em>, <em>SO_TIMESTAMPNS</em>, <em>SO_PASSSEC</em>, <em>SO_PEERSEC</em>, <em>SO_ACCEPTCONN</em>, <em>SO_TIMESTAMP</em>, <em>SO_PEERNAME</em>, <em>SO_DETACH_FILTER</em>, <em>SO_ATTACH_FILTER</em>, <em>SO_BINDTODEVICE</em>, <em>SO_SECURITY_ENCRYPTION_NETWORK</em>, <em>SO_SECURITY_ENCRYPTION_TRANSPORT</em>, <em>SO_SECURITY_AUTHENTICATION</em>, <em>SO_SNDTIMEO</em>, <em>SO_RCVTIMEO</em>, <em>SO_SNDLOWAT</em>, <em>SO_RCVLOWAT</em>, <em>SO_PEERCRED</em>, <em>SO_PASSCRED</em>, <em>SO_REUSEPORT</em>, <em>SO_BSDCOMPAT</em>, <em>SO_LINGER</em>, <em>SO_PRIORITY</em>, <em>SO_NO_CHECK</em>, <em>SO_OOBINLINE</em>, <em>SO_KEEPALIVE</em>, <em>SO_RCVBUFFORCE</em>, <em>SO_SNDBUFFORCE</em>, <em>SO_RCVBUF</em>, <em>SO_SNDBUF</em>, <em>SO_BROADCAST</em>, <em>SO_DONTROUTE</em>, <em>SO_ERROR</em>, <em>SO_TYPE</em>, <em>SO_REUSEADDR</em>, <em>SO_DEBUG</em>, <em>UNKNOWN</em>, DYNAMIC <strong>val</strong>, UINT32 <strong>optlen</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getsockopt</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, ENUMFLAGS8 <strong>level</strong>: <em>SOL_SOCKET</em>, <em>SOL_TCP</em>, <em>UNKNOWN</em>, ENUMFLAGS8 <strong>optname</strong>: <em>SO_COOKIE</em>, <em>SO_MEMINFO</em>, <em>SO_PEERGROUPS</em>, <em>SO_ATTACH_BPF</em>, <em>SO_INCOMING_CPU</em>, <em>SO_BPF_EXTENSIONS</em>, <em>SO_MAX_PACING_RATE</em>, <em>SO_BUSY_POLL</em>, <em>SO_SELECT_ERR_QUEUE</em>, <em>SO_LOCK_FILTER</em>, <em>SO_NOFCS</em>, <em>SO_PEEK_OFF</em>, <em>SO_WIFI_STATUS</em>, <em>SO_RXQ_OVFL</em>, <em>SO_DOMAIN</em>, <em>SO_PROTOCOL</em>, <em>SO_TIMESTAMPING</em>, <em>SO_MARK</em>, <em>SO_TIMESTAMPNS</em>, <em>SO_PASSSEC</em>, <em>SO_PEERSEC</em>, <em>SO_ACCEPTCONN</em>, <em>SO_TIMESTAMP</em>, <em>SO_PEERNAME</em>, <em>SO_DETACH_FILTER</em>, <em>SO_ATTACH_FILTER</em>, <em>SO_BINDTODEVICE</em>, <em>SO_SECURITY_ENCRYPTION_NETWORK</em>, <em>SO_SECURITY_ENCRYPTION_TRANSPORT</em>, <em>SO_SECURITY_AUTHENTICATION</em>, <em>SO_SNDTIMEO</em>, <em>SO_RCVTIMEO</em>, <em>SO_SNDLOWAT</em>, <em>SO_RCVLOWAT</em>, <em>SO_PEERCRED</em>, <em>SO_PASSCRED</em>, <em>SO_REUSEPORT</em>, <em>SO_BSDCOMPAT</em>, <em>SO_LINGER</em>, <em>SO_PRIORITY</em>, <em>SO_NO_CHECK</em>, <em>SO_OOBINLINE</em>, <em>SO_KEEPALIVE</em>, <em>SO_RCVBUFFORCE</em>, <em>SO_SNDBUFFORCE</em>, <em>SO_RCVBUF</em>, <em>SO_SNDBUF</em>, <em>SO_BROADCAST</em>, <em>SO_DONTROUTE</em>, <em>SO_ERROR</em>, <em>SO_TYPE</em>, <em>SO_REUSEADDR</em>, <em>SO_DEBUG</em>, <em>UNKNOWN</em>, DYNAMIC <strong>val</strong>, UINT32 <strong>optlen</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sendmsg</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, SOCKTUPLE <strong>tuple</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sendmmsg</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, BYTEBUF <strong>data</strong>, SOCKTUPLE <strong>tuple</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>recvmsg</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>size</strong>, BYTEBUF <strong>data</strong>, SOCKTUPLE <strong>tuple</strong>, BYTEBUF <strong>msgcontrol</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>recvmmsg</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, BYTEBUF <strong>data</strong>, SOCKTUPLE <strong>tuple</strong>, BYTEBUF <strong>msgcontrol</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>creat</code></td> <td style="text-align: left">FSPATH <strong>name</strong>, UINT32 <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>creat</code></td> <td style="text-align: left">FD <strong>fd</strong>, FSPATH <strong>name</strong>, UINT32 <strong>mode</strong>, UINT32 <strong>dev</strong>, UINT64 <strong>ino</strong>, FLAGS16 <strong>creat_flags</strong>: <em>FD_UPPER_LAYER_CREAT</em>, <em>FD_LOWER_LAYER_CREAT</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pipe</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd1</strong>, FD <strong>fd2</strong>, UINT64 <strong>ino</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>eventfd</code></td> <td style="text-align: left">FD <strong>res</strong>, UINT64 <strong>initval</strong>, UINT32 <strong>flags</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>futex</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>addr</strong>, FLAGS16 <strong>op</strong>: <em>FUTEX_CLOCK_REALTIME</em>, <em>FUTEX_PRIVATE_FLAG</em>, <em>FUTEX_CMP_REQUEUE_PI</em>, <em>FUTEX_WAIT_REQUEUE_PI</em>, <em>FUTEX_WAKE_BITSET</em>, <em>FUTEX_WAIT_BITSET</em>, <em>FUTEX_TRYLOCK_PI</em>, <em>FUTEX_UNLOCK_PI</em>, <em>FUTEX_LOCK_PI</em>, <em>FUTEX_WAKE_OP</em>, <em>FUTEX_CMP_REQUEUE</em>, <em>FUTEX_REQUEUE</em>, <em>FUTEX_FD</em>, <em>FUTEX_WAKE</em>, <em>FUTEX_WAIT</em>, UINT64 <strong>val</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>stat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lstat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fstat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>stat64</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lstat64</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fstat64</code></td> <td style="text-align: left">ERRNO <strong>res</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_wait</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, ERRNO <strong>maxevents</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>poll</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FDLIST <strong>fds</strong>, INT64 <strong>timeout</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>select</code></td> <td style="text-align: left">ERRNO <strong>res</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lseek</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, UINT64 <strong>offset</strong>, ENUMFLAGS8 <strong>whence</strong>: <em>SEEK_END</em>, <em>SEEK_CUR</em>, <em>SEEK_SET</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>llseek</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, UINT64 <strong>offset</strong>, ENUMFLAGS8 <strong>whence</strong>: <em>SEEK_END</em>, <em>SEEK_CUR</em>, <em>SEEK_SET</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getcwd</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>chdir</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fchdir</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pread</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, UINT64 <strong>pos</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pwrite</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, UINT64 <strong>pos</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>readv</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>size</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>writev</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>preadv</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>size</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT64 <strong>pos</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pwritev</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>data</strong>, FD <strong>fd</strong>, UINT32 <strong>size</strong>, UINT64 <strong>pos</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>signalfd</code></td> <td style="text-align: left">FD <strong>res</strong>, FD <strong>fd</strong>, UINT32 <strong>mask</strong>, UINT8 <strong>flags</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>kill</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, PID <strong>pid</strong>, SIGTYPE <strong>sig</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>tkill</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, PID <strong>tid</strong>, SIGTYPE <strong>sig</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>tgkill</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, PID <strong>pid</strong>, PID <strong>tid</strong>, SIGTYPE <strong>sig</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>nanosleep</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, RELTIME <strong>interval</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timerfd_create</code></td> <td style="text-align: left">FD <strong>res</strong>, UINT8 <strong>clockid</strong>, UINT8 <strong>flags</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>inotify_init</code></td> <td style="text-align: left">FD <strong>res</strong>, UINT8 <strong>flags</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getrlimit</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, INT64 <strong>cur</strong>, INT64 <strong>max</strong>, ENUMFLAGS8 <strong>resource</strong>: <em>RLIMIT_UNKNOWN</em>, <em>RLIMIT_RTTIME</em>, <em>RLIMIT_RTPRIO</em>, <em>RLIMIT_NICE</em>, <em>RLIMIT_MSGQUEUE</em>, <em>RLIMIT_SIGPENDING</em>, <em>RLIMIT_LOCKS</em>, <em>RLIMIT_AS</em>, <em>RLIMIT_MEMLOCK</em>, <em>RLIMIT_NOFILE</em>, <em>RLIMIT_NPROC</em>, <em>RLIMIT_RSS</em>, <em>RLIMIT_CORE</em>, <em>RLIMIT_STACK</em>, <em>RLIMIT_DATA</em>, <em>RLIMIT_FSIZE</em>, <em>RLIMIT_CPU</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setrlimit</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, INT64 <strong>cur</strong>, INT64 <strong>max</strong>, ENUMFLAGS8 <strong>resource</strong>: <em>RLIMIT_UNKNOWN</em>, <em>RLIMIT_RTTIME</em>, <em>RLIMIT_RTPRIO</em>, <em>RLIMIT_NICE</em>, <em>RLIMIT_MSGQUEUE</em>, <em>RLIMIT_SIGPENDING</em>, <em>RLIMIT_LOCKS</em>, <em>RLIMIT_AS</em>, <em>RLIMIT_MEMLOCK</em>, <em>RLIMIT_NOFILE</em>, <em>RLIMIT_NPROC</em>, <em>RLIMIT_RSS</em>, <em>RLIMIT_CORE</em>, <em>RLIMIT_STACK</em>, <em>RLIMIT_DATA</em>, <em>RLIMIT_FSIZE</em>, <em>RLIMIT_CPU</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>prlimit</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, INT64 <strong>newcur</strong>, INT64 <strong>newmax</strong>, INT64 <strong>oldcur</strong>, INT64 <strong>oldmax</strong>, INT64 <strong>pid</strong>, ENUMFLAGS8 <strong>resource</strong>: <em>RLIMIT_UNKNOWN</em>, <em>RLIMIT_RTTIME</em>, <em>RLIMIT_RTPRIO</em>, <em>RLIMIT_NICE</em>, <em>RLIMIT_MSGQUEUE</em>, <em>RLIMIT_SIGPENDING</em>, <em>RLIMIT_LOCKS</em>, <em>RLIMIT_AS</em>, <em>RLIMIT_MEMLOCK</em>, <em>RLIMIT_NOFILE</em>, <em>RLIMIT_NPROC</em>, <em>RLIMIT_RSS</em>, <em>RLIMIT_CORE</em>, <em>RLIMIT_STACK</em>, <em>RLIMIT_DATA</em>, <em>RLIMIT_FSIZE</em>, <em>RLIMIT_CPU</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fcntl</code></td> <td style="text-align: left">FD <strong>res</strong>, FD <strong>fd</strong>, ENUMFLAGS8 <strong>cmd</strong>: <em>F_GETPIPE_SZ</em>, <em>F_SETPIPE_SZ</em>, <em>F_NOTIFY</em>, <em>F_DUPFD_CLOEXEC</em>, <em>F_CANCELLK</em>, <em>F_GETLEASE</em>, <em>F_SETLEASE</em>, <em>F_GETOWN_EX</em>, <em>F_SETOWN_EX</em>, <em>F_SETLKW64</em>, <em>F_SETLK64</em>, <em>F_GETLK64</em>, <em>F_GETSIG</em>, <em>F_SETSIG</em>, <em>F_GETOWN</em>, <em>F_SETOWN</em>, <em>F_SETLKW</em>, <em>F_SETLK</em>, <em>F_GETLK</em>, <em>F_SETFL</em>, <em>F_GETFL</em>, <em>F_SETFD</em>, <em>F_GETFD</em>, <em>F_DUPFD</em>, <em>F_OFD_GETLK</em>, <em>F_OFD_SETLK</em>, <em>F_OFD_SETLKW</em>, <em>UNKNOWN</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>brk</code></td> <td style="text-align: left">UINT64 <strong>res</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, UINT64 <strong>addr</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mmap</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, UINT64 <strong>addr</strong>, UINT64 <strong>length</strong>, FLAGS32 <strong>prot</strong>: <em>PROT_READ</em>, <em>PROT_WRITE</em>, <em>PROT_EXEC</em>, <em>PROT_SEM</em>, <em>PROT_GROWSDOWN</em>, <em>PROT_GROWSUP</em>, <em>PROT_SAO</em>, <em>PROT_NONE</em>, FLAGS32 <strong>flags</strong>: <em>MAP_SHARED</em>, <em>MAP_PRIVATE</em>, <em>MAP_FIXED</em>, <em>MAP_ANONYMOUS</em>, <em>MAP_32BIT</em>, <em>MAP_RENAME</em>, <em>MAP_NORESERVE</em>, <em>MAP_POPULATE</em>, <em>MAP_NONBLOCK</em>, <em>MAP_GROWSDOWN</em>, <em>MAP_DENYWRITE</em>, <em>MAP_EXECUTABLE</em>, <em>MAP_INHERIT</em>, <em>MAP_FILE</em>, <em>MAP_LOCKED</em>, FD <strong>fd</strong>, UINT64 <strong>offset</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mmap2</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, UINT64 <strong>addr</strong>, UINT64 <strong>length</strong>, FLAGS32 <strong>prot</strong>: <em>PROT_READ</em>, <em>PROT_WRITE</em>, <em>PROT_EXEC</em>, <em>PROT_SEM</em>, <em>PROT_GROWSDOWN</em>, <em>PROT_GROWSUP</em>, <em>PROT_SAO</em>, <em>PROT_NONE</em>, FLAGS32 <strong>flags</strong>: <em>MAP_SHARED</em>, <em>MAP_PRIVATE</em>, <em>MAP_FIXED</em>, <em>MAP_ANONYMOUS</em>, <em>MAP_32BIT</em>, <em>MAP_RENAME</em>, <em>MAP_NORESERVE</em>, <em>MAP_POPULATE</em>, <em>MAP_NONBLOCK</em>, <em>MAP_GROWSDOWN</em>, <em>MAP_DENYWRITE</em>, <em>MAP_EXECUTABLE</em>, <em>MAP_INHERIT</em>, <em>MAP_FILE</em>, <em>MAP_LOCKED</em>, FD <strong>fd</strong>, UINT64 <strong>pgoffset</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>munmap</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, UINT64 <strong>addr</strong>, UINT64 <strong>length</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>splice</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd_in</strong>, FD <strong>fd_out</strong>, UINT64 <strong>size</strong>, FLAGS32 <strong>flags</strong>: <em>SPLICE_F_MOVE</em>, <em>SPLICE_F_NONBLOCK</em>, <em>SPLICE_F_MORE</em>, <em>SPLICE_F_GIFT</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ptrace</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, DYNAMIC <strong>addr</strong>, DYNAMIC <strong>data</strong>, ENUMFLAGS16 <strong>request</strong>: <em>PTRACE_SINGLEBLOCK</em>, <em>PTRACE_SYSEMU_SINGLESTEP</em>, <em>PTRACE_SYSEMU</em>, <em>PTRACE_ARCH_PRCTL</em>, <em>PTRACE_SET_THREAD_AREA</em>, <em>PTRACE_GET_THREAD_AREA</em>, <em>PTRACE_OLDSETOPTIONS</em>, <em>PTRACE_SETFPXREGS</em>, <em>PTRACE_GETFPXREGS</em>, <em>PTRACE_SETFPREGS</em>, <em>PTRACE_GETFPREGS</em>, <em>PTRACE_SETREGS</em>, <em>PTRACE_GETREGS</em>, <em>PTRACE_SETSIGMASK</em>, <em>PTRACE_GETSIGMASK</em>, <em>PTRACE_PEEKSIGINFO</em>, <em>PTRACE_LISTEN</em>, <em>PTRACE_INTERRUPT</em>, <em>PTRACE_SEIZE</em>, <em>PTRACE_SETREGSET</em>, <em>PTRACE_GETREGSET</em>, <em>PTRACE_SETSIGINFO</em>, <em>PTRACE_GETSIGINFO</em>, <em>PTRACE_GETEVENTMSG</em>, <em>PTRACE_SETOPTIONS</em>, <em>PTRACE_SYSCALL</em>, <em>PTRACE_DETACH</em>, <em>PTRACE_ATTACH</em>, <em>PTRACE_SINGLESTEP</em>, <em>PTRACE_KILL</em>, <em>PTRACE_CONT</em>, <em>PTRACE_POKEUSR</em>, <em>PTRACE_POKEDATA</em>, <em>PTRACE_POKETEXT</em>, <em>PTRACE_PEEKUSR</em>, <em>PTRACE_PEEKDATA</em>, <em>PTRACE_PEEKTEXT</em>, <em>PTRACE_TRACEME</em>, <em>PTRACE_UNKNOWN</em>, PID <strong>pid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ioctl</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, UINT64 <strong>request</strong>, UINT64 <strong>argument</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rename</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>oldpath</strong>, FSPATH <strong>newpath</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>renameat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>olddirfd</strong>, FSRELPATH <strong>oldpath</strong>, FD <strong>newdirfd</strong>, FSRELPATH <strong>newpath</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>symlink</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>target</strong>, FSPATH <strong>linkpath</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>symlinkat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>target</strong>, FD <strong>linkdirfd</strong>, FSRELPATH <strong>linkpath</strong></td> </tr> <tr> <td style="text-align: left">No</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sendfile</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>offset</strong>, FD <strong>out_fd</strong>, FD <strong>in_fd</strong>, UINT64 <strong>size</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>quotactl</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>special</strong>, CHARBUF <strong>quotafilepath</strong>, UINT64 <strong>dqb_bhardlimit</strong>, UINT64 <strong>dqb_bsoftlimit</strong>, UINT64 <strong>dqb_curspace</strong>, UINT64 <strong>dqb_ihardlimit</strong>, UINT64 <strong>dqb_isoftlimit</strong>, RELTIME <strong>dqb_btime</strong>, RELTIME <strong>dqb_itime</strong>, RELTIME <strong>dqi_bgrace</strong>, RELTIME <strong>dqi_igrace</strong>, FLAGS8 <strong>dqi_flags</strong>: <em>DQF_NONE</em>, <em>V1_DQF_RSQUASH</em>, FLAGS8 <strong>quota_fmt_out</strong>: <em>QFMT_NOT_USED</em>, <em>QFMT_VFS_OLD</em>, <em>QFMT_VFS_V0</em>, <em>QFMT_VFS_V1</em>, FLAGS16 <strong>cmd</strong>: <em>Q_QUOTAON</em>, <em>Q_QUOTAOFF</em>, <em>Q_GETFMT</em>, <em>Q_GETINFO</em>, <em>Q_SETINFO</em>, <em>Q_GETQUOTA</em>, <em>Q_SETQUOTA</em>, <em>Q_SYNC</em>, <em>Q_XQUOTAON</em>, <em>Q_XQUOTAOFF</em>, <em>Q_XGETQUOTA</em>, <em>Q_XSETQLIM</em>, <em>Q_XGETQSTAT</em>, <em>Q_XQUOTARM</em>, <em>Q_XQUOTASYNC</em>, FLAGS8 <strong>type</strong>: <em>USRQUOTA</em>, <em>GRPQUOTA</em>, UINT32 <strong>id</strong>, FLAGS8 <strong>quota_fmt</strong>: <em>QFMT_NOT_USED</em>, <em>QFMT_VFS_OLD</em>, <em>QFMT_VFS_V0</em>, <em>QFMT_VFS_V1</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setresuid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UID <strong>ruid</strong>, UID <strong>euid</strong>, UID <strong>suid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setresgid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, GID <strong>rgid</strong>, GID <strong>egid</strong>, GID <strong>sgid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setuid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UID <strong>uid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setgid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, GID <strong>gid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getuid</code></td> <td style="text-align: left">UID <strong>uid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>geteuid</code></td> <td style="text-align: left">UID <strong>euid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getgid</code></td> <td style="text-align: left">GID <strong>gid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getegid</code></td> <td style="text-align: left">GID <strong>egid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getresuid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UID <strong>ruid</strong>, UID <strong>euid</strong>, UID <strong>suid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getresgid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, GID <strong>rgid</strong>, GID <strong>egid</strong>, GID <strong>sgid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>clone</code></td> <td style="text-align: left">PID <strong>res</strong>, CHARBUF <strong>exe</strong>, BYTEBUF <strong>args</strong>, PID <strong>tid</strong>, PID <strong>pid</strong>, PID <strong>ptid</strong>, CHARBUF <strong>cwd</strong>, INT64 <strong>fdlimit</strong>, UINT64 <strong>pgft_maj</strong>, UINT64 <strong>pgft_min</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, CHARBUF <strong>comm</strong>, BYTEBUF <strong>cgroups</strong>, FLAGS32 <strong>flags</strong>: <em>CLONE_FILES</em>, <em>CLONE_FS</em>, <em>CLONE_IO</em>, <em>CLONE_NEWIPC</em>, <em>CLONE_NEWNET</em>, <em>CLONE_NEWNS</em>, <em>CLONE_NEWPID</em>, <em>CLONE_NEWUTS</em>, <em>CLONE_PARENT</em>, <em>CLONE_PARENT_SETTID</em>, <em>CLONE_PTRACE</em>, <em>CLONE_SIGHAND</em>, <em>CLONE_SYSVSEM</em>, <em>CLONE_THREAD</em>, <em>CLONE_UNTRACED</em>, <em>CLONE_VM</em>, <em>CLONE_INVERTED</em>, <em>NAME_CHANGED</em>, <em>CLOSED</em>, <em>CLONE_NEWUSER</em>, <em>CLONE_CHILD_CLEARTID</em>, <em>CLONE_CHILD_SETTID</em>, <em>CLONE_SETTLS</em>, <em>CLONE_STOPPED</em>, <em>CLONE_VFORK</em>, <em>CLONE_NEWCGROUP</em>, <em>CLONE_CHILD_IN_PIDNS</em>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong>, PID <strong>vtid</strong>, PID <strong>vpid</strong>, UINT64 <strong>pidns_init_start_ts</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fork</code></td> <td style="text-align: left">PID <strong>res</strong>, CHARBUF <strong>exe</strong>, BYTEBUF <strong>args</strong>, PID <strong>tid</strong>, PID <strong>pid</strong>, PID <strong>ptid</strong>, CHARBUF <strong>cwd</strong>, INT64 <strong>fdlimit</strong>, UINT64 <strong>pgft_maj</strong>, UINT64 <strong>pgft_min</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, CHARBUF <strong>comm</strong>, BYTEBUF <strong>cgroups</strong>, FLAGS32 <strong>flags</strong>: <em>CLONE_FILES</em>, <em>CLONE_FS</em>, <em>CLONE_IO</em>, <em>CLONE_NEWIPC</em>, <em>CLONE_NEWNET</em>, <em>CLONE_NEWNS</em>, <em>CLONE_NEWPID</em>, <em>CLONE_NEWUTS</em>, <em>CLONE_PARENT</em>, <em>CLONE_PARENT_SETTID</em>, <em>CLONE_PTRACE</em>, <em>CLONE_SIGHAND</em>, <em>CLONE_SYSVSEM</em>, <em>CLONE_THREAD</em>, <em>CLONE_UNTRACED</em>, <em>CLONE_VM</em>, <em>CLONE_INVERTED</em>, <em>NAME_CHANGED</em>, <em>CLOSED</em>, <em>CLONE_NEWUSER</em>, <em>CLONE_CHILD_CLEARTID</em>, <em>CLONE_CHILD_SETTID</em>, <em>CLONE_SETTLS</em>, <em>CLONE_STOPPED</em>, <em>CLONE_VFORK</em>, <em>CLONE_NEWCGROUP</em>, <em>CLONE_CHILD_IN_PIDNS</em>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong>, PID <strong>vtid</strong>, PID <strong>vpid</strong>, UINT64 <strong>pidns_init_start_ts</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>vfork</code></td> <td style="text-align: left">PID <strong>res</strong>, CHARBUF <strong>exe</strong>, BYTEBUF <strong>args</strong>, PID <strong>tid</strong>, PID <strong>pid</strong>, PID <strong>ptid</strong>, CHARBUF <strong>cwd</strong>, INT64 <strong>fdlimit</strong>, UINT64 <strong>pgft_maj</strong>, UINT64 <strong>pgft_min</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, CHARBUF <strong>comm</strong>, BYTEBUF <strong>cgroups</strong>, FLAGS32 <strong>flags</strong>: <em>CLONE_FILES</em>, <em>CLONE_FS</em>, <em>CLONE_IO</em>, <em>CLONE_NEWIPC</em>, <em>CLONE_NEWNET</em>, <em>CLONE_NEWNS</em>, <em>CLONE_NEWPID</em>, <em>CLONE_NEWUTS</em>, <em>CLONE_PARENT</em>, <em>CLONE_PARENT_SETTID</em>, <em>CLONE_PTRACE</em>, <em>CLONE_SIGHAND</em>, <em>CLONE_SYSVSEM</em>, <em>CLONE_THREAD</em>, <em>CLONE_UNTRACED</em>, <em>CLONE_VM</em>, <em>CLONE_INVERTED</em>, <em>NAME_CHANGED</em>, <em>CLOSED</em>, <em>CLONE_NEWUSER</em>, <em>CLONE_CHILD_CLEARTID</em>, <em>CLONE_CHILD_SETTID</em>, <em>CLONE_SETTLS</em>, <em>CLONE_STOPPED</em>, <em>CLONE_VFORK</em>, <em>CLONE_NEWCGROUP</em>, <em>CLONE_CHILD_IN_PIDNS</em>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong>, PID <strong>vtid</strong>, PID <strong>vpid</strong>, UINT64 <strong>pidns_init_start_ts</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getdents</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getdents64</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setns</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, FLAGS32 <strong>nstype</strong>: <em>CLONE_FILES</em>, <em>CLONE_FS</em>, <em>CLONE_IO</em>, <em>CLONE_NEWIPC</em>, <em>CLONE_NEWNET</em>, <em>CLONE_NEWNS</em>, <em>CLONE_NEWPID</em>, <em>CLONE_NEWUTS</em>, <em>CLONE_PARENT</em>, <em>CLONE_PARENT_SETTID</em>, <em>CLONE_PTRACE</em>, <em>CLONE_SIGHAND</em>, <em>CLONE_SYSVSEM</em>, <em>CLONE_THREAD</em>, <em>CLONE_UNTRACED</em>, <em>CLONE_VM</em>, <em>CLONE_INVERTED</em>, <em>NAME_CHANGED</em>, <em>CLOSED</em>, <em>CLONE_NEWUSER</em>, <em>CLONE_CHILD_CLEARTID</em>, <em>CLONE_CHILD_SETTID</em>, <em>CLONE_SETTLS</em>, <em>CLONE_STOPPED</em>, <em>CLONE_VFORK</em>, <em>CLONE_NEWCGROUP</em>, <em>CLONE_CHILD_IN_PIDNS</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>flock</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, FLAGS32 <strong>operation</strong>: <em>LOCK_SH</em>, <em>LOCK_EX</em>, <em>LOCK_NB</em>, <em>LOCK_UN</em>, <em>LOCK_NONE</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>accept</code></td> <td style="text-align: left">FD <strong>fd</strong>, SOCKTUPLE <strong>tuple</strong>, UINT8 <strong>queuepct</strong>, UINT32 <strong>queuelen</strong>, UINT32 <strong>queuemax</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>semop</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>nsops</strong>, UINT16 <strong>sem_num_0</strong>, INT16 <strong>sem_op_0</strong>, FLAGS16 <strong>sem_flg_0</strong>: <em>IPC_NOWAIT</em>, <em>SEM_UNDO</em>, UINT16 <strong>sem_num_1</strong>, INT16 <strong>sem_op_1</strong>, FLAGS16 <strong>sem_flg_1</strong>: <em>IPC_NOWAIT</em>, <em>SEM_UNDO</em>, INT32 <strong>semid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>semctl</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, INT32 <strong>semid</strong>, INT32 <strong>semnum</strong>, FLAGS16 <strong>cmd</strong>: <em>IPC_STAT</em>, <em>IPC_SET</em>, <em>IPC_RMID</em>, <em>IPC_INFO</em>, <em>SEM_INFO</em>, <em>SEM_STAT</em>, <em>GETALL</em>, <em>GETNCNT</em>, <em>GETPID</em>, <em>GETVAL</em>, <em>GETZCNT</em>, <em>SETALL</em>, <em>SETVAL</em>, INT32 <strong>val</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ppoll</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FDLIST <strong>fds</strong>, RELTIME <strong>timeout</strong>, SIGSET <strong>sigmask</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mount</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>dev</strong>, FSPATH <strong>dir</strong>, CHARBUF <strong>type</strong>, FLAGS32 <strong>flags</strong>: <em>RDONLY</em>, <em>NOSUID</em>, <em>NODEV</em>, <em>NOEXEC</em>, <em>SYNCHRONOUS</em>, <em>REMOUNT</em>, <em>MANDLOCK</em>, <em>DIRSYNC</em>, <em>NOATIME</em>, <em>NODIRATIME</em>, <em>BIND</em>, <em>MOVE</em>, <em>REC</em>, <em>SILENT</em>, <em>POSIXACL</em>, <em>UNBINDABLE</em>, <em>PRIVATE</em>, <em>SLAVE</em>, <em>SHARED</em>, <em>RELATIME</em>, <em>KERNMOUNT</em>, <em>I_VERSION</em>, <em>STRICTATIME</em>, <em>LAZYTIME</em>, <em>NOSEC</em>, <em>BORN</em>, <em>ACTIVE</em>, <em>NOUSER</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>semget</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, INT32 <strong>key</strong>, INT32 <strong>nsems</strong>, FLAGS32 <strong>semflg</strong>: <em>IPC_EXCL</em>, <em>IPC_CREAT</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>access</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>name</strong>, FLAGS32 <strong>mode</strong>: <em>F_OK</em>, <em>R_OK</em>, <em>W_OK</em>, <em>X_OK</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>chroot</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setsid</code></td> <td style="text-align: left">PID <strong>res</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mkdir</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong>, UINT32 <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rmdir</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>unshare</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FLAGS32 <strong>flags</strong>: <em>CLONE_FILES</em>, <em>CLONE_FS</em>, <em>CLONE_IO</em>, <em>CLONE_NEWIPC</em>, <em>CLONE_NEWNET</em>, <em>CLONE_NEWNS</em>, <em>CLONE_NEWPID</em>, <em>CLONE_NEWUTS</em>, <em>CLONE_PARENT</em>, <em>CLONE_PARENT_SETTID</em>, <em>CLONE_PTRACE</em>, <em>CLONE_SIGHAND</em>, <em>CLONE_SYSVSEM</em>, <em>CLONE_THREAD</em>, <em>CLONE_UNTRACED</em>, <em>CLONE_VM</em>, <em>CLONE_INVERTED</em>, <em>NAME_CHANGED</em>, <em>CLOSED</em>, <em>CLONE_NEWUSER</em>, <em>CLONE_CHILD_CLEARTID</em>, <em>CLONE_CHILD_SETTID</em>, <em>CLONE_SETTLS</em>, <em>CLONE_STOPPED</em>, <em>CLONE_VFORK</em>, <em>CLONE_NEWCGROUP</em>, <em>CLONE_CHILD_IN_PIDNS</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>execve</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>exe</strong>, BYTEBUF <strong>args</strong>, PID <strong>tid</strong>, PID <strong>pid</strong>, PID <strong>ptid</strong>, CHARBUF <strong>cwd</strong>, UINT64 <strong>fdlimit</strong>, UINT64 <strong>pgft_maj</strong>, UINT64 <strong>pgft_min</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, CHARBUF <strong>comm</strong>, BYTEBUF <strong>cgroups</strong>, BYTEBUF <strong>env</strong>, UINT32 <strong>tty</strong>, PID <strong>vpgid</strong>, UID <strong>loginuid</strong>, FLAGS32 <strong>flags</strong>: <em>EXE_WRITABLE</em>, <em>EXE_UPPER_LAYER</em>, <em>EXE_FROM_MEMFD</em>, <em>EXE_LOWER_LAYER</em>, UINT64 <strong>cap_inheritable</strong>, UINT64 <strong>cap_permitted</strong>, UINT64 <strong>cap_effective</strong>, UINT64 <strong>exe_ino</strong>, ABSTIME <strong>exe_ino_ctime</strong>, ABSTIME <strong>exe_ino_mtime</strong>, UID <strong>uid</strong>, FSPATH <strong>trusted_exepath</strong>, PID <strong>pgid</strong>, GID <strong>gid</strong>, FSPATH <strong>filename</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setpgid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, PID <strong>pid</strong>, PID <strong>pgid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>seccomp</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>op</strong>, UINT64 <strong>flags</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>unlink</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>unlinkat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>AT_REMOVEDIR</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mkdirat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>path</strong>, UINT32 <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>openat</code></td> <td style="text-align: left">FD <strong>dirfd</strong>, FSRELPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, UINT32 <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>openat</code></td> <td style="text-align: left">FD <strong>fd</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, UINT32 <strong>mode</strong>, UINT32 <strong>dev</strong>, UINT64 <strong>ino</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>link</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>oldpath</strong>, FSPATH <strong>newpath</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>linkat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>olddir</strong>, FSRELPATH <strong>oldpath</strong>, FD <strong>newdir</strong>, FSRELPATH <strong>newpath</strong>, FLAGS32 <strong>flags</strong>: <em>AT_SYMLINK_FOLLOW</em>, <em>AT_EMPTY_PATH</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fchmodat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>filename</strong>, MODE <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>chmod</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>filename</strong>, MODE <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fchmod</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, MODE <strong>mode</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>renameat2</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>olddirfd</strong>, FSRELPATH <strong>oldpath</strong>, FD <strong>newdirfd</strong>, FSRELPATH <strong>newpath</strong>, FLAGS32 <strong>flags</strong>: <em>RENAME_NOREPLACE</em>, <em>RENAME_EXCHANGE</em>, <em>RENAME_WHITEOUT</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>userfaultfd</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>openat2</code></td> <td style="text-align: left">FD <strong>dirfd</strong>, FSRELPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, UINT32 <strong>mode</strong>, FLAGS32 <strong>resolve</strong>: <em>RESOLVE_BENEATH</em>, <em>RESOLVE_IN_ROOT</em>, <em>RESOLVE_NO_MAGICLINKS</em>, <em>RESOLVE_NO_SYMLINKS</em>, <em>RESOLVE_NO_XDEV</em>, <em>RESOLVE_CACHED</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>openat2</code></td> <td style="text-align: left">FD <strong>fd</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, UINT32 <strong>mode</strong>, FLAGS32 <strong>resolve</strong>: <em>RESOLVE_BENEATH</em>, <em>RESOLVE_IN_ROOT</em>, <em>RESOLVE_NO_MAGICLINKS</em>, <em>RESOLVE_NO_SYMLINKS</em>, <em>RESOLVE_NO_XDEV</em>, <em>RESOLVE_CACHED</em>, UINT32 <strong>dev</strong>, UINT64 <strong>ino</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mprotect</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>addr</strong>, UINT64 <strong>length</strong>, FLAGS32 <strong>prot</strong>: <em>PROT_READ</em>, <em>PROT_WRITE</em>, <em>PROT_EXEC</em>, <em>PROT_SEM</em>, <em>PROT_GROWSDOWN</em>, <em>PROT_GROWSUP</em>, <em>PROT_SAO</em>, <em>PROT_NONE</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>execveat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>exe</strong>, BYTEBUF <strong>args</strong>, PID <strong>tid</strong>, PID <strong>pid</strong>, PID <strong>ptid</strong>, CHARBUF <strong>cwd</strong>, UINT64 <strong>fdlimit</strong>, UINT64 <strong>pgft_maj</strong>, UINT64 <strong>pgft_min</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, CHARBUF <strong>comm</strong>, BYTEBUF <strong>cgroups</strong>, BYTEBUF <strong>env</strong>, UINT32 <strong>tty</strong>, PID <strong>vpgid</strong>, UID <strong>loginuid</strong>, FLAGS32 <strong>flags</strong>: <em>EXE_WRITABLE</em>, <em>EXE_UPPER_LAYER</em>, <em>EXE_FROM_MEMFD</em>, <em>EXE_LOWER_LAYER</em>, UINT64 <strong>cap_inheritable</strong>, UINT64 <strong>cap_permitted</strong>, UINT64 <strong>cap_effective</strong>, UINT64 <strong>exe_ino</strong>, ABSTIME <strong>exe_ino_ctime</strong>, ABSTIME <strong>exe_ino_mtime</strong>, UID <strong>uid</strong>, FSPATH <strong>trusted_exepath</strong>, PID <strong>pgid</strong>, GID <strong>gid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>copy_file_range</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fdout</strong>, UINT64 <strong>offout</strong>, FD <strong>fdin</strong>, UINT64 <strong>offin</strong>, UINT64 <strong>len</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>clone3</code></td> <td style="text-align: left">PID <strong>res</strong>, CHARBUF <strong>exe</strong>, BYTEBUF <strong>args</strong>, PID <strong>tid</strong>, PID <strong>pid</strong>, PID <strong>ptid</strong>, CHARBUF <strong>cwd</strong>, INT64 <strong>fdlimit</strong>, UINT64 <strong>pgft_maj</strong>, UINT64 <strong>pgft_min</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong>, CHARBUF <strong>comm</strong>, BYTEBUF <strong>cgroups</strong>, FLAGS32 <strong>flags</strong>: <em>CLONE_FILES</em>, <em>CLONE_FS</em>, <em>CLONE_IO</em>, <em>CLONE_NEWIPC</em>, <em>CLONE_NEWNET</em>, <em>CLONE_NEWNS</em>, <em>CLONE_NEWPID</em>, <em>CLONE_NEWUTS</em>, <em>CLONE_PARENT</em>, <em>CLONE_PARENT_SETTID</em>, <em>CLONE_PTRACE</em>, <em>CLONE_SIGHAND</em>, <em>CLONE_SYSVSEM</em>, <em>CLONE_THREAD</em>, <em>CLONE_UNTRACED</em>, <em>CLONE_VM</em>, <em>CLONE_INVERTED</em>, <em>NAME_CHANGED</em>, <em>CLOSED</em>, <em>CLONE_NEWUSER</em>, <em>CLONE_CHILD_CLEARTID</em>, <em>CLONE_CHILD_SETTID</em>, <em>CLONE_SETTLS</em>, <em>CLONE_STOPPED</em>, <em>CLONE_VFORK</em>, <em>CLONE_NEWCGROUP</em>, <em>CLONE_CHILD_IN_PIDNS</em>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong>, PID <strong>vtid</strong>, PID <strong>vpid</strong>, UINT64 <strong>pidns_init_start_ts</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>open_by_handle_at</code></td> <td style="text-align: left">FD <strong>fd</strong>, FD <strong>mountfd</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, FSPATH <strong>path</strong>, UINT32 <strong>dev</strong>, UINT64 <strong>ino</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_uring_setup</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT32 <strong>entries</strong>, UINT32 <strong>sq_entries</strong>, UINT32 <strong>cq_entries</strong>, FLAGS32 <strong>flags</strong>: <em>IORING_SETUP_IOPOLL</em>, <em>IORING_SETUP_SQPOLL</em>, <em>IORING_SQ_NEED_WAKEUP</em>, <em>IORING_SETUP_SQ_AFF</em>, <em>IORING_SETUP_CQSIZE</em>, <em>IORING_SETUP_CLAMP</em>, <em>IORING_SETUP_ATTACH_RW</em>, <em>IORING_SETUP_R_DISABLED</em>, UINT32 <strong>sq_thread_cpu</strong>, UINT32 <strong>sq_thread_idle</strong>, FLAGS32 <strong>features</strong>: <em>IORING_FEAT_SINGLE_MMAP</em>, <em>IORING_FEAT_NODROP</em>, <em>IORING_FEAT_SUBMIT_STABLE</em>, <em>IORING_FEAT_RW_CUR_POS</em>, <em>IORING_FEAT_CUR_PERSONALITY</em>, <em>IORING_FEAT_FAST_POLL</em>, <em>IORING_FEAT_POLL_32BITS</em>, <em>IORING_FEAT_SQPOLL_NONFIXED</em>, <em>IORING_FEAT_ENTER_EXT_ARG</em>, <em>IORING_FEAT_NATIVE_WORKERS</em>, <em>IORING_FEAT_RSRC_TAGS</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_uring_enter</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, UINT32 <strong>to_submit</strong>, UINT32 <strong>min_complete</strong>, FLAGS32 <strong>flags</strong>: <em>IORING_ENTER_GETEVENTS</em>, <em>IORING_ENTER_SQ_WAKEUP</em>, <em>IORING_ENTER_SQ_WAIT</em>, <em>IORING_ENTER_EXT_ARG</em>, SIGSET <strong>sig</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_uring_register</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, ENUMFLAGS16 <strong>opcode</strong>: <em>IORING_REGISTER_BUFFERS</em>, <em>IORING_UNREGISTER_BUFFERS</em>, <em>IORING_REGISTER_FILES</em>, <em>IORING_UNREGISTER_FILES</em>, <em>IORING_REGISTER_EVENTFD</em>, <em>IORING_UNREGISTER_EVENTFD</em>, <em>IORING_REGISTER_FILES_UPDATE</em>, <em>IORING_REGISTER_EVENTFD_ASYNC</em>, <em>IORING_REGISTER_PROBE</em>, <em>IORING_REGISTER_PERSONALITY</em>, <em>IORING_UNREGISTER_PERSONALITY</em>, <em>IORING_REGISTER_RESTRICTIONS</em>, <em>IORING_REGISTER_ENABLE_RINGS</em>, <em>IORING_REGISTER_FILES2</em>, <em>IORING_REGISTER_FILES_UPDATE2</em>, <em>IORING_REGISTER_BUFFERS2</em>, <em>IORING_REGISTER_BUFFERS_UPDATE</em>, <em>IORING_REGISTER_IOWQ_AFF</em>, <em>IORING_UNREGISTER_IOWQ_AFF</em>, <em>IORING_REGISTER_IOWQ_MAX_WORKERS</em>, <em>IORING_REGISTER_RING_FDS</em>, <em>IORING_UNREGISTER_RING_FDS</em>, UINT64 <strong>arg</strong>, UINT32 <strong>nr_args</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mlock</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>addr</strong>, UINT64 <strong>len</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>munlock</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>addr</strong>, UINT64 <strong>len</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mlockall</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FLAGS32 <strong>flags</strong>: <em>MCL_CURRENT</em>, <em>MCL_FUTURE</em>, <em>MCL_ONFAULT</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>munlockall</code></td> <td style="text-align: left">ERRNO <strong>res</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>capset</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>cap_inheritable</strong>, UINT64 <strong>cap_permitted</strong>, UINT64 <strong>cap_effective</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>dup2</code></td> <td style="text-align: left">FD <strong>res</strong>, FD <strong>oldfd</strong>, FD <strong>newfd</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>dup3</code></td> <td style="text-align: left">FD <strong>res</strong>, FD <strong>oldfd</strong>, FD <strong>newfd</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>dup</code></td> <td style="text-align: left">FD <strong>res</strong>, FD <strong>oldfd</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>bpf</code></td> <td style="text-align: left">FD <strong>fd</strong>, ENUMFLAGS32 <strong>cmd</strong>: <em>BPF_MAP_CREATE</em>, <em>BPF_MAP_LOOKUP_ELEM</em>, <em>BPF_MAP_UPDATE_ELEM</em>, <em>BPF_MAP_DELETE_ELEM</em>, <em>BPF_MAP_GET_NEXT_KEY</em>, <em>BPF_PROG_LOAD</em>, <em>BPF_OBJ_PIN</em>, <em>BPF_OBJ_GET</em>, <em>BPF_PROG_ATTACH</em>, <em>BPF_PROG_DETACH</em>, <em>BPF_PROG_TEST_RUN</em>, <em>BPF_PROG_RUN</em>, <em>BPF_PROG_GET_NEXT_ID</em>, <em>BPF_MAP_GET_NEXT_ID</em>, <em>BPF_PROG_GET_FD_BY_ID</em>, <em>BPF_MAP_GET_FD_BY_ID</em>, <em>BPF_OBJ_GET_INFO_BY_FD</em>, <em>BPF_PROG_QUERY</em>, <em>BPF_RAW_TRACEPOINT_OPEN</em>, <em>BPF_BTF_LOAD</em>, <em>BPF_BTF_GET_FD_BY_ID</em>, <em>BPF_TASK_FD_QUERY</em>, <em>BPF_MAP_LOOKUP_AND_DELETE_ELEM</em>, <em>BPF_MAP_FREEZE</em>, <em>BPF_BTF_GET_NEXT_ID</em>, <em>BPF_MAP_LOOKUP_BATCH</em>, <em>BPF_MAP_LOOKUP_AND_DELETE_BATCH</em>, <em>BPF_MAP_UPDATE_BATCH</em>, <em>BPF_MAP_DELETE_BATCH</em>, <em>BPF_LINK_CREATE</em>, <em>BPF_LINK_UPDATE</em>, <em>BPF_LINK_GET_FD_BY_ID</em>, <em>BPF_LINK_GET_NEXT_ID</em>, <em>BPF_ENABLE_STATS</em>, <em>BPF_ITER_CREATE</em>, <em>BPF_LINK_DETACH</em>, <em>BPF_PROG_BIND_MAP</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mlock2</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UINT64 <strong>addr</strong>, UINT64 <strong>len</strong>, FLAGS32 <strong>flags</strong>: <em>MLOCK_ONFAULT</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fsconfig</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, ENUMFLAGS32 <strong>cmd</strong>: <em>FSCONFIG_SET_FLAG</em>, <em>FSCONFIG_SET_STRING</em>, <em>FSCONFIG_SET_BINARY</em>, <em>FSCONFIG_SET_PATH</em>, <em>FSCONFIG_SET_PATH_EMPTY</em>, <em>FSCONFIG_SET_FD</em>, <em>FSCONFIG_CMD_CREATE</em>, <em>FSCONFIG_CMD_RECONFIGURE</em>, CHARBUF <strong>key</strong>, BYTEBUF <strong>value_bytebuf</strong>, CHARBUF <strong>value_charbuf</strong>, INT32 <strong>aux</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_create</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, INT32 <strong>size</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_create1</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FLAGS32 <strong>flags</strong>: <em>EPOLL_CLOEXEC</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>chown</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lchown</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fchown</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fchownat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>pathname</strong>, UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong>, FLAGS32 <strong>flags</strong>: <em>AT_SYMLINK_NOFOLLOW</em>, <em>AT_EMPTY_PATH</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>umount</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>name</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>accept4</code></td> <td style="text-align: left">FD <strong>fd</strong>, SOCKTUPLE <strong>tuple</strong>, UINT8 <strong>queuepct</strong>, UINT32 <strong>queuelen</strong>, UINT32 <strong>queuemax</strong>, INT32 <strong>flags</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>umount2</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>FORCE</em>, <em>DETACH</em>, <em>EXPIRE</em>, <em>NOFOLLOW</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pipe2</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd1</strong>, FD <strong>fd2</strong>, UINT64 <strong>ino</strong>, FLAGS32 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>inotify_init1</code></td> <td style="text-align: left">FD <strong>res</strong>, FLAGS16 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>eventfd2</code></td> <td style="text-align: left">FD <strong>res</strong>, FLAGS16 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, UINT64 <strong>initval</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>signalfd4</code></td> <td style="text-align: left">FD <strong>res</strong>, FLAGS16 <strong>flags</strong>: <em>O_LARGEFILE</em>, <em>O_DIRECTORY</em>, <em>O_DIRECT</em>, <em>O_TRUNC</em>, <em>O_SYNC</em>, <em>O_NONBLOCK</em>, <em>O_EXCL</em>, <em>O_DSYNC</em>, <em>O_APPEND</em>, <em>O_CREAT</em>, <em>O_RDWR</em>, <em>O_WRONLY</em>, <em>O_RDONLY</em>, <em>O_CLOEXEC</em>, <em>O_NONE</em>, <em>O_TMPFILE</em>, <em>O_F_CREATED</em>, <em>FD_UPPER_LAYER</em>, <em>FD_LOWER_LAYER</em>, FD <strong>fd</strong>, UINT32 <strong>mask</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>prctl</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, ENUMFLAGS32 <strong>option</strong>: <em>PR_GET_DUMPABLE</em>, <em>PR_SET_DUMPABLE</em>, <em>PR_GET_KEEPCAPS</em>, <em>PR_SET_KEEPCAPS</em>, <em>PR_SET_NAME</em>, <em>PR_GET_NAME</em>, <em>PR_GET_SECCOMP</em>, <em>PR_SET_SECCOMP</em>, <em>PR_CAPBSET_READ</em>, <em>PR_CAPBSET_DROP</em>, <em>PR_GET_SECUREBITS</em>, <em>PR_SET_SECUREBITS</em>, <em>PR_MCE_KILL</em>, <em>PR_MCE_KILL</em>, <em>PR_SET_MM</em>, <em>PR_SET_CHILD_SUBREAPER</em>, <em>PR_GET_CHILD_SUBREAPER</em>, <em>PR_SET_NO_NEW_PRIVS</em>, <em>PR_GET_NO_NEW_PRIVS</em>, <em>PR_GET_TID_ADDRESS</em>, <em>PR_SET_THP_DISABLE</em>, <em>PR_GET_THP_DISABLE</em>, <em>PR_CAP_AMBIENT</em>, CHARBUF <strong>arg2_str</strong>, INT64 <strong>arg2_int</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>memfd_create</code></td> <td style="text-align: left">FD <strong>fd</strong>, CHARBUF <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>MFD_CLOEXEC</em>, <em>MFD_ALLOW_SEALING</em>, <em>MFD_HUGETLB</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pidfd_getfd</code></td> <td style="text-align: left">FD <strong>fd</strong>, FD <strong>pid_fd</strong>, FD <strong>target_fd</strong>, UINT32 <strong>flags</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pidfd_open</code></td> <td style="text-align: left">FD <strong>fd</strong>, PID <strong>pid</strong>, FLAGS32 <strong>flags</strong>: <em>PIDFD_NONBLOCK</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>init_module</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, BYTEBUF <strong>img</strong>, UINT64 <strong>length</strong>, CHARBUF <strong>uargs</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>finit_module</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>fd</strong>, CHARBUF <strong>uargs</strong>, FLAGS32 <strong>flags</strong>: <em>MODULE_INIT_IGNORE_MODVERSIONS</em>, <em>MODULE_INIT_IGNORE_VERMAGIC</em>, <em>MODULE_INIT_COMPRESSED_FILE</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mknod</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FSPATH <strong>path</strong>, MODE <strong>mode</strong>, UINT32 <strong>dev</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mknodat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>path</strong>, MODE <strong>mode</strong>, UINT32 <strong>dev</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>newfstatat</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, FD <strong>dirfd</strong>, FSRELPATH <strong>path</strong>, FLAGS32 <strong>flags</strong>: <em>AT_EMPTY_PATH</em>, <em>AT_NO_AUTOMOUNT</em>, <em>AT_SYMLINK_NOFOLLOW</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>process_vm_readv</code></td> <td style="text-align: left">INT64 <strong>res</strong>, PID <strong>pid</strong>, BYTEBUF <strong>data</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>process_vm_writev</code></td> <td style="text-align: left">INT64 <strong>res</strong>, PID <strong>pid</strong>, BYTEBUF <strong>data</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>delete_module</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, CHARBUF <strong>name</strong>, FLAGS32 <strong>flags</strong>: <em>O_NONBLOCK</em>, <em>O_TRUNC</em></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setreuid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UID <strong>ruid</strong>, UID <strong>euid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setregid</code></td> <td style="text-align: left">ERRNO <strong>res</strong>, UID <strong>rgid</strong>, UID <strong>egid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>adjtimex</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>adjtimex</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>exit</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>exit</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sethostname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sethostname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getsid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getsid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fstatfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fstatfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pivot_root</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pivot_root</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>oldstat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>oldstat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>umask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>umask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>madvise</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>madvise</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>statfs64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>statfs64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>iopl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>iopl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>swapon</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>swapon</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>utime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>utime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getpid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getpid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setdomainname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setdomainname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>semtimedop</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>semtimedop</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mq_notify</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mq_notify</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>nfsservctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>nfsservctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pkey_mprotect</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pkey_mprotect</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fgetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fgetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sysinfo</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sysinfo</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>uselib</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>uselib</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>olduname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>olduname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>set_mempolicy</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>set_mempolicy</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getppid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getppid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_yield</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_yield</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getrusage</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getrusage</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sigsuspend</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sigsuspend</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>riscv_hwprobe</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>riscv_hwprobe</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>bdflush</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>bdflush</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>get_kernel_syms</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>get_kernel_syms</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pause</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pause</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getpmsg</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getpmsg</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>clock_gettime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>clock_gettime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mq_getsetattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mq_getsetattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>spu_run</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>spu_run</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>personality</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>personality</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>request_key</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>request_key</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>readlink</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>readlink</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>times</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>times</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>reboot</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>reboot</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>syslog</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>syslog</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>ipc</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ipc</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>create_module</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>create_module</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>listxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>listxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setpriority</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setpriority</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sigreturn</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sigreturn</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setgroups</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setgroups</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>preadv2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>preadv2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setitimer</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setitimer</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>shmat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>shmat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getitimer</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getitimer</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>removexattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>removexattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>msgget</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>msgget</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>spu_create</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>spu_create</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>capget</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>capget</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_sigsuspend</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_sigsuspend</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mseal</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mseal</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fanotify_init</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fanotify_init</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>readdir</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>readdir</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mq_timedreceive</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mq_timedreceive</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>nice</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>nice</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fsopen</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fsopen</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_sigpending</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_sigpending</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sysfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sysfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>acct</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>acct</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setfsgid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setfsgid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>clock_adjtime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>clock_adjtime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>io_getevents</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_getevents</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>query_module</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>query_module</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>remap_file_pages</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>remap_file_pages</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_sigprocmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_sigprocmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mincore</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mincore</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getpgid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getpgid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>msgsnd</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>msgsnd</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_getparam</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_getparam</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getgroups</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getgroups</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>ustat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ustat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>uname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>uname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>epoll_ctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_ctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>lgetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lgetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>_sysctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>_sysctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_sigtimedwait</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_sigtimedwait</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>flistxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>flistxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pkey_alloc</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pkey_alloc</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>time</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>time</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>kcmp</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>kcmp</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>epoll_pwait</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_pwait</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>oldlstat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>oldlstat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_setscheduler</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_setscheduler</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>statfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>statfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fdatasync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fdatasync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>set_robust_list</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>set_robust_list</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>swapoff</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>swapoff</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>quotactl_fd</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>quotactl_fd</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>exit_group</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>exit_group</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>listmount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>listmount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timerfd_settime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timerfd_settime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_getscheduler</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_getscheduler</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_get_priority_min</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_get_priority_min</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>ftruncate</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ftruncate</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pkey_free</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pkey_free</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_rr_get_interval</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_rr_get_interval</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>open_tree</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>open_tree</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>idle</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>idle</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mremap</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mremap</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_sigaction</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_sigaction</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>stime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>stime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_getattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_getattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_sigqueueinfo</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_sigqueueinfo</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sync_file_range</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sync_file_range</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mq_unlink</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mq_unlink</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>alarm</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>alarm</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>inotify_rm_watch</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>inotify_rm_watch</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>lsetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lsetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timer_delete</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timer_delete</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>msync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>msync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timer_settime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timer_settime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sigprocmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sigprocmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>lremovexattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lremovexattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fremovexattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fremovexattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_setaffinity</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_setaffinity</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fsetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fsetxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>settimeofday</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>settimeofday</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>gettimeofday</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>gettimeofday</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>io_setup</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_setup</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>llistxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>llistxattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fsync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fsync</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pidfd_send_signal</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pidfd_send_signal</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getrandom</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getrandom</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>s390_sthyi</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>s390_sthyi</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>io_destroy</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_destroy</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sigaltstack</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sigaltstack</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>riscv_flush_icache</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>riscv_flush_icache</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mount_setattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mount_setattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getpgrp</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getpgrp</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>vhangup</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>vhangup</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>set_tid_address</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>set_tid_address</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timer_create</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timer_create</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timer_gettime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timer_gettime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timer_getoverrun</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timer_getoverrun</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>clock_settime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>clock_settime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>clock_getres</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>clock_getres</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>utimes</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>utimes</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>vm86</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>vm86</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>lsm_set_self_attr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lsm_set_self_attr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>clock_nanosleep</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>clock_nanosleep</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>futimesat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>futimesat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>signal</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>signal</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mq_open</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mq_open</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>keyctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>keyctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>ioprio_set</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ioprio_set</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>landlock_add_rule</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>landlock_add_rule</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>add_key</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>add_key</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>set_thread_area</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>set_thread_area</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>ioprio_get</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ioprio_get</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sync_file_range2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sync_file_range2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>ioperm</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ioperm</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sigaction</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sigaction</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>inotify_add_watch</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>inotify_add_watch</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fallocate</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fallocate</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>get_thread_area</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>get_thread_area</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>readlinkat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>readlinkat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>name_to_handle_at</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>name_to_handle_at</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>perf_event_open</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>perf_event_open</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>kexec_load</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>kexec_load</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>truncate</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>truncate</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>faccessat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>faccessat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mq_timedsend</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mq_timedsend</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>restart_syscall</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>restart_syscall</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>map_shadow_stack</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>map_shadow_stack</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pselect6</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pselect6</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>epoll_ctl_old</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_ctl_old</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>get_robust_list</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>get_robust_list</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>tee</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>tee</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>vmsplice</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>vmsplice</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getcpu</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getcpu</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>utimensat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>utimensat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rseq</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rseq</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timerfd_gettime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timerfd_gettime</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>syncfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>syncfs</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>msgctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>msgctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>io_submit</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_submit</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>oldolduname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>oldolduname</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>shmdt</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>shmdt</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_getaffinity</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_getaffinity</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fstatat64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fstatat64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>socketcall</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>socketcall</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>waitid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>waitid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sgetmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sgetmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>io_cancel</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_cancel</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_setparam</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_setparam</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>cachestat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>cachestat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_setattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_setattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>ssetmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>ssetmask</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>_newselect</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>_newselect</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setfsuid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setfsuid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sigpending</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sigpending</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>wait4</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>wait4</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>process_mrelease</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>process_mrelease</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>waitpid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>waitpid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>arch_prctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>arch_prctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_sigreturn</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_sigreturn</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fadvise64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fadvise64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>msgrcv</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>msgrcv</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>move_mount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>move_mount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>lookup_dcookie</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lookup_dcookie</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fspick</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fspick</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>shmget</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>shmget</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fsmount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fsmount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>epoll_pwait2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_pwait2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>move_pages</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>move_pages</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>shmctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>shmctl</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>memfd_secret</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>memfd_secret</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>landlock_restrict_self</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>landlock_restrict_self</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sched_get_priority_max</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sched_get_priority_max</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>sys_debug_setcontext</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>sys_debug_setcontext</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>kexec_file_load</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>kexec_file_load</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>process_madvise</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>process_madvise</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>landlock_create_ruleset</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>landlock_create_ruleset</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rt_tgsigqueueinfo</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rt_tgsigqueueinfo</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>migrate_pages</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>migrate_pages</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fstatfs64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fstatfs64</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pwritev2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pwritev2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>mbind</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>mbind</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>modify_ldt</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>modify_ldt</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>gettid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>gettid</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>statx</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>statx</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getpriority</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getpriority</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>io_pgetevents</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>io_pgetevents</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>listxattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>listxattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>set_mempolicy_home_node</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>set_mempolicy_home_node</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>readahead</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>readahead</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>futex_waitv</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>futex_waitv</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>epoll_wait_old</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>epoll_wait_old</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>faccessat2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>faccessat2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>get_mempolicy</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>get_mempolicy</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>membarrier</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>membarrier</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pciconfig_iobase</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pciconfig_iobase</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>close_range</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>close_range</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fanotify_mark</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fanotify_mark</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>open_tree_attr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>open_tree_attr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>timerfd</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>timerfd</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>s390_pci_mmio_read</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>s390_pci_mmio_read</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>s390_pci_mmio_write</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>s390_pci_mmio_write</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>s390_runtime_instr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>s390_runtime_instr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>s390_guarded_storage</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>s390_guarded_storage</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>fchmodat2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>fchmodat2</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>futex_wake</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>futex_wake</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>futex_requeue</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>futex_requeue</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>futex_wait</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>futex_wait</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>switch_endian</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>switch_endian</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>multiplexer</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>multiplexer</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>oldfstat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>oldfstat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>lsm_get_self_attr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lsm_get_self_attr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>swapcontext</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>swapcontext</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pciconfig_write</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pciconfig_write</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>rtas</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>rtas</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pciconfig_read</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>pciconfig_read</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>subpage_prot</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>subpage_prot</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>statmount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>statmount</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>lsm_list_modules</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>lsm_list_modules</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>uretprobe</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>uretprobe</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>removexattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>removexattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>getxattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>getxattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>setxattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>setxattrat</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>file_getattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>file_getattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>file_setattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>file_setattr</code></td> <td style="text-align: left">SYSCALLID <strong>ID</strong>, UINT16 <strong>nativeID</strong></td> </tr> </tbody> </table> <h2 id="tracepoint-events">Tracepoint events</h2> <table> <thead> <tr> <th style="text-align: left">Default</th> <th style="text-align: left">Dir</th> <th style="text-align: left">Name</th> <th style="text-align: left">Params</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>switch</code></td> <td style="text-align: left">PID <strong>next</strong>, UINT64 <strong>pgft_maj</strong>, UINT64 <strong>pgft_min</strong>, UINT32 <strong>vm_size</strong>, UINT32 <strong>vm_rss</strong>, UINT32 <strong>vm_swap</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>procexit</code></td> <td style="text-align: left">ERRNO <strong>status</strong>, ERRNO <strong>ret</strong>, SIGTYPE <strong>sig</strong>, UINT8 <strong>core</strong>, PID <strong>reaper_tid</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>signaldeliver</code></td> <td style="text-align: left">PID <strong>spid</strong>, PID <strong>dpid</strong>, SIGTYPE <strong>sig</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>page_fault</code></td> <td style="text-align: left">UINT64 <strong>addr</strong>, UINT64 <strong>ip</strong>, FLAGS32 <strong>error</strong>: <em>PROTECTION_VIOLATION</em>, <em>PAGE_NOT_PRESENT</em>, <em>WRITE_ACCESS</em>, <em>READ_ACCESS</em>, <em>USER_FAULT</em>, <em>SUPERVISOR_FAULT</em>, <em>RESERVED_PAGE</em>, <em>INSTRUCTION_FETCH</em></td> </tr> </tbody> </table> <h2 id="plugin-events">Plugin events</h2> <table> <thead> <tr> <th style="text-align: left">Default</th> <th style="text-align: left">Dir</th> <th style="text-align: left">Name</th> <th style="text-align: left">Params</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>pluginevent</code></td> <td style="text-align: left">UINT32 <strong>plugin_id</strong>, BYTEBUF <strong>event_data</strong></td> </tr> </tbody> </table> <h2 id="metaevents">Metaevents</h2> <table> <thead> <tr> <th style="text-align: left">Default</th> <th style="text-align: left">Dir</th> <th style="text-align: left">Name</th> <th style="text-align: left">Params</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>drop</code></td> <td style="text-align: left">UINT32 <strong>ratio</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&lt;</code></td> <td style="text-align: left"><code>drop</code></td> <td style="text-align: left">UINT32 <strong>ratio</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>scapevent</code></td> <td style="text-align: left">UINT32 <strong>event_type</strong>, UINT64 <strong>event_data</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>procinfo</code></td> <td style="text-align: left">UINT64 <strong>cpu_usr</strong>, UINT64 <strong>cpu_sys</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>cpu_hotplug</code></td> <td style="text-align: left">UINT32 <strong>cpu</strong>, UINT32 <strong>action</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>notification</code></td> <td style="text-align: left">CHARBUF <strong>id</strong>, CHARBUF <strong>desc</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>infra</code></td> <td style="text-align: left">CHARBUF <strong>source</strong>, CHARBUF <strong>name</strong>, CHARBUF <strong>description</strong>, CHARBUF <strong>scope</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>container</code></td> <td style="text-align: left">CHARBUF <strong>json</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>useradded</code></td> <td style="text-align: left">UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong>, CHARBUF <strong>name</strong>, CHARBUF <strong>home</strong>, CHARBUF <strong>shell</strong>, CHARBUF <strong>container_id</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>userdeleted</code></td> <td style="text-align: left">UINT32 <strong>uid</strong>, UINT32 <strong>gid</strong>, CHARBUF <strong>name</strong>, CHARBUF <strong>home</strong>, CHARBUF <strong>shell</strong>, CHARBUF <strong>container_id</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>groupadded</code></td> <td style="text-align: left">UINT32 <strong>gid</strong>, CHARBUF <strong>name</strong>, CHARBUF <strong>container_id</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>groupdeleted</code></td> <td style="text-align: left">UINT32 <strong>gid</strong>, CHARBUF <strong>name</strong>, CHARBUF <strong>container_id</strong></td> </tr> <tr> <td style="text-align: left">Yes</td> <td style="text-align: left"><code>&gt;</code></td> <td style="text-align: left"><code>asyncevent</code></td> <td style="text-align: left">UINT32 <strong>plugin_id</strong>, CHARBUF <strong>name</strong>, BYTEBUF <strong>data</strong></td> </tr> </tbody> </table>https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-fields/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-fields/ <p>Here are the fields supported by Falco. These fields can be used in the <code>condition</code> key of a Falco rule and well as the <code>output</code> key. Any fields included in the <code>output</code> key of a rule will also be included in the alert's <code>output_fields</code> object when <code>json_output</code> is set to <code>true</code>.</p> <p>You can also see this set of fields via <code>falco --list=&lt;source&gt;</code>, with <code>&lt;source&gt;</code> being one of the <a href="https://v0-43--falcosecurity.netlify.app/docs/concepts/event-sources/">Falco event sources</a>.</p> <h3 id="system-calls-source-syscall">System Calls (source <code>syscall</code>)</h3> <p><code>syscall</code> event source fields are provided by the <a href="https://v0-43--falcosecurity.netlify.app/docs/concepts/event-sources/kernel/">Falco Drivers</a>. See the <a href="https://v0-43--falcosecurity.netlify.app/docs/reference/rules/supported-events/">supported events</a> documentation to learn about all the available event types. The field <code>evt.arg</code>, <code>evt.args</code> and <code>evt.rawarg</code> is used to access arguments for each event. For example, in order to access the <code>target</code> arg of a <code>symlinkat</code> exit event you can use <code>evt.arg.target</code>.</p> <pre tabindex="0"><code># System Kernel Fields $ falco --list=syscall </code></pre><!-- generated with: falco --list=syscall --markdown | sed -E 's/## Field Class/### Field Class/g' | awk '!/^Event Sources: syscall\w*/' | awk '/Field Class: evt/{c++;if(c==2){sub("evt","evt (for system calls)");c=0}}1' --> <h3 id="field-class-evt">Field Class: evt</h3> <p>These fields can be used for all event types</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>evt.num</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">event number.</td> </tr> <tr> <td style="text-align: left"><code>evt.time</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">event timestamp as a time string that includes the nanosecond part.</td> </tr> <tr> <td style="text-align: left"><code>evt.time.s</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">event timestamp as a time string with no nanoseconds.</td> </tr> <tr> <td style="text-align: left"><code>evt.time.iso8601</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">event timestamp in ISO 8601 format, including nanoseconds and time zone offset (in UTC).</td> </tr> <tr> <td style="text-align: left"><code>evt.datetime</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">event timestamp as a time string that includes the date.</td> </tr> <tr> <td style="text-align: left"><code>evt.datetime.s</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">event timestamp as a datetime string with no nanoseconds.</td> </tr> <tr> <td style="text-align: left"><code>evt.rawtime</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">absolute event timestamp, i.e. nanoseconds from epoch.</td> </tr> <tr> <td style="text-align: left"><code>evt.rawtime.s</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">integer part of the event timestamp (e.g. seconds since epoch).</td> </tr> <tr> <td style="text-align: left"><code>evt.rawtime.ns</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">fractional part of the absolute event timestamp.</td> </tr> <tr> <td style="text-align: left"><code>evt.reltime</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">number of nanoseconds from the beginning of the capture.</td> </tr> <tr> <td style="text-align: left"><code>evt.reltime.s</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">number of seconds from the beginning of the capture.</td> </tr> <tr> <td style="text-align: left"><code>evt.reltime.ns</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">fractional part (in ns) of the time from the beginning of the capture.</td> </tr> <tr> <td style="text-align: left"><code>evt.pluginname</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">if the event comes from a plugin-defined event source, the name of the plugin that generated it. The plugin must be currently loaded.</td> </tr> <tr> <td style="text-align: left"><code>evt.plugininfo</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">if the event comes from a plugin-defined event source, a summary of the event as formatted by the plugin. The plugin must be currently loaded.</td> </tr> <tr> <td style="text-align: left"><code>evt.source</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">the name of the source that produced the event.</td> </tr> <tr> <td style="text-align: left"><code>evt.is_async</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for asynchronous events, 'false' otherwise.</td> </tr> <tr> <td style="text-align: left"><code>evt.asynctype</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">If the event is asynchronous, the type of the event (e.g. 'container').</td> </tr> <tr> <td style="text-align: left"><code>evt.hostname</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The hostname of the underlying host can be customized by setting an environment variable (e.g. FALCO_HOSTNAME for the Falco agent). This is valuable in Kubernetes setups, where the hostname can match the pod name particularly in DaemonSet deployments. To achieve this, assign Kubernetes' spec.nodeName to the environment variable. Notably, spec.nodeName generally includes the cluster name.</td> </tr> </tbody> </table> <h3 id="field-class-evt-for-system-calls">Field Class: evt (for system calls)</h3> <p>Event fields applicable to syscall events. Note that for most events you can access the individual arguments/parameters of each syscall via evt.arg, e.g. evt.arg.filename.</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>evt.deltatime</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">delta between this event and the previous event, in nanoseconds.</td> </tr> <tr> <td style="text-align: left"><code>evt.deltatime.s</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">integer part of the delta between this event and the previous event.</td> </tr> <tr> <td style="text-align: left"><code>evt.deltatime.ns</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">fractional part of the delta between this event and the previous event.</td> </tr> <tr> <td style="text-align: left"><code>evt.type</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The name of the event (e.g. 'open').</td> </tr> <tr> <td style="text-align: left"><code>evt.type.is</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">allows one to specify an event type, and returns 1 for events that are of that type. For example, evt.type.is.open returns 1 for open events, 0 for any other event.</td> </tr> <tr> <td style="text-align: left"><code>syscall.type</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">For system call events, the name of the system call (e.g. 'open'). Unset for other events (e.g. switch or internal events). Use this field instead of evt.type if you need to make sure that the filtered/printed value is actually a system call.</td> </tr> <tr> <td style="text-align: left"><code>evt.category</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The event category. Example values are 'file' (for file operations like open and close), 'net' (for network operations like socket and bind), memory (for things like brk or mmap), and so on.</td> </tr> <tr> <td style="text-align: left"><code>evt.cpu</code></td> <td style="text-align: left">INT16</td> <td style="text-align: left">number of the CPU where this event happened.</td> </tr> <tr> <td style="text-align: left"><code>evt.args</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">all the event arguments, aggregated into a single string.</td> </tr> <tr> <td style="text-align: left"><code>evt.arg</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">one of the event arguments specified by name or by number. Some events (e.g. return codes or FDs) will be converted into a text representation when possible. E.g. 'evt.arg.fd' or 'evt.arg[0]'.</td> </tr> <tr> <td style="text-align: left"><code>evt.rawarg</code></td> <td style="text-align: left">DYNAMIC</td> <td style="text-align: left">one of the event arguments specified by name. E.g. 'evt.rawarg.fd'.</td> </tr> <tr> <td style="text-align: left"><code>evt.info</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Currently, this field returns the same value as 'evt.args'.</td> </tr> <tr> <td style="text-align: left"><code>evt.buffer</code></td> <td style="text-align: left">BYTEBUF</td> <td style="text-align: left">the binary data buffer for events that have one, like read(), recvfrom(), etc. Use this field in filters with 'contains' to search into I/O data buffers.</td> </tr> <tr> <td style="text-align: left"><code>evt.buflen</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">the length of the binary data buffer for events that have one, like read(), recvfrom(), etc.</td> </tr> <tr> <td style="text-align: left"><code>evt.res</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">event return value, as a string. If the event failed, the result is an error code string (e.g. 'ENOENT'), otherwise the result is the string 'SUCCESS'.</td> </tr> <tr> <td style="text-align: left"><code>evt.rawres</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">event return value, as a number (e.g. -2). Useful for range comparisons.</td> </tr> <tr> <td style="text-align: left"><code>evt.failed</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for events that returned an error status.</td> </tr> <tr> <td style="text-align: left"><code>evt.is_io</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for events that read or write to FDs, like read(), send, recvfrom(), etc.</td> </tr> <tr> <td style="text-align: left"><code>evt.is_io_read</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for events that read from FDs, like read(), recv(), recvfrom(), etc.</td> </tr> <tr> <td style="text-align: left"><code>evt.is_io_write</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for events that write to FDs, like write(), send(), etc.</td> </tr> <tr> <td style="text-align: left"><code>evt.io_dir</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">'r' for events that read from FDs, like read(); 'w' for events that write to FDs, like write().</td> </tr> <tr> <td style="text-align: left"><code>evt.is_wait</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for events that make the thread wait, e.g. sleep(), select(), poll().</td> </tr> <tr> <td style="text-align: left"><code>evt.is_syslog</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for events that are writes to /dev/log.</td> </tr> <tr> <td style="text-align: left"><code>evt.count</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">This filter field always returns 1.</td> </tr> <tr> <td style="text-align: left"><code>evt.count.error</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">This filter field returns 1 for events that returned with an error.</td> </tr> <tr> <td style="text-align: left"><code>evt.count.error.file</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">This filter field returns 1 for events that returned with an error and are related to file I/O.</td> </tr> <tr> <td style="text-align: left"><code>evt.count.error.net</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">This filter field returns 1 for events that returned with an error and are related to network I/O.</td> </tr> <tr> <td style="text-align: left"><code>evt.count.error.memory</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">This filter field returns 1 for events that returned with an error and are related to memory allocation.</td> </tr> <tr> <td style="text-align: left"><code>evt.count.error.other</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">This filter field returns 1 for events that returned with an error and are related to none of the previous categories.</td> </tr> <tr> <td style="text-align: left"><code>evt.count.exit</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">This filter field returns 1 for exit events.</td> </tr> <tr> <td style="text-align: left"><code>evt.around</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Accepts the event if it's around the specified time interval. The syntax is evt.around[T]=D, where T is the value returned by %evt.rawtime for the event and D is a delta in milliseconds. For example, evt.around[1404996934793590564]=1000 will return the events with timestamp with one second before the timestamp and one second after it, for a total of two seconds of capture.</td> </tr> <tr> <td style="text-align: left"><code>evt.abspath</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Absolute path calculated from dirfd and name during syscalls like renameat and symlinkat. Use 'evt.abspath.src' or 'evt.abspath.dst' for syscalls that support multiple paths.</td> </tr> <tr> <td style="text-align: left"><code>evt.is_open_read</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for open/openat/openat2/open_by_handle_at events where the path was opened for reading</td> </tr> <tr> <td style="text-align: left"><code>evt.is_open_write</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for open/openat/openat2/open_by_handle_at events where the path was opened for writing</td> </tr> <tr> <td style="text-align: left"><code>evt.is_open_exec</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for open/openat/openat2/open_by_handle_at or creat events where a file is created with execute permissions</td> </tr> <tr> <td style="text-align: left"><code>evt.is_open_create</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for for open/openat/openat2/open_by_handle_at events where a file is created.</td> </tr> </tbody> </table> <h3 id="field-class-process">Field Class: process</h3> <p>Additional information about the process and thread executing the syscall event.</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>proc.exe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The first command-line argument (i.e., argv[0]), typically the executable name or a custom string as specified by the user. It is primarily obtained from syscall arguments, truncated after 4096 bytes, or, as a fallback, by reading /proc/PID/cmdline, in which case it may be truncated after 1024 bytes. This field may differ from the last component of proc.exepath, reflecting how command invocation and execution paths can vary.</td> </tr> <tr> <td style="text-align: left"><code>proc.pexe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The proc.exe (first command line argument argv[0]) of the parent process.</td> </tr> <tr> <td style="text-align: left"><code>proc.aexe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The proc.exe (first command line argument argv[0]) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aexe[1] retrieves the proc.exe of the parent process, proc.aexe[2] retrieves the proc.exe of the grandparent process, and so on. The current process's proc.exe line can be obtained using proc.aexe[0]. When used without any arguments, proc.aexe is applicable only in filters and matches any of the process ancestors. For instance, you can use <code>proc.aexe endswith java</code> to match any process ancestor whose proc.exe ends with the term <code>java</code>.</td> </tr> <tr> <td style="text-align: left"><code>proc.exepath</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full executable path of a process, resolving to the canonical path for symlinks. This is primarily obtained from the kernel, or as a fallback, by reading /proc/PID/exe (in the latter case, the path is truncated after 1024 bytes). For eBPF drivers, due to verifier limits, path components may be truncated to 24 for legacy eBPF on kernel &lt;5.2, 48 for legacy eBPF on kernel &gt;=5.2, or 96 for modern eBPF.</td> </tr> <tr> <td style="text-align: left"><code>proc.pexepath</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The proc.exepath (full executable path) of the parent process.</td> </tr> <tr> <td style="text-align: left"><code>proc.aexepath</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The proc.exepath (full executable path) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aexepath[1] retrieves the proc.exepath of the parent process, proc.aexepath[2] retrieves the proc.exepath of the grandparent process, and so on. The current process's proc.exepath line can be obtained using proc.aexepath[0]. When used without any arguments, proc.aexepath is applicable only in filters and matches any of the process ancestors. For instance, you can use <code>proc.aexepath endswith java</code> to match any process ancestor whose path ends with the term <code>java</code>.</td> </tr> <tr> <td style="text-align: left"><code>proc.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The process name (truncated after 16 characters) generating the event (task-&gt;comm). Truncation is determined by kernel settings and not by Falco. This field is collected from the syscalls args or, as a fallback, extracted from /proc/PID/comm. The name of the process and the name of the executable file on disk (if applicable) can be different if a process is given a custom name which is often the case for example for java applications.</td> </tr> <tr> <td style="text-align: left"><code>proc.pname</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The proc.name (truncated after 16 characters) of the parent process.</td> </tr> <tr> <td style="text-align: left"><code>proc.aname</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The proc.name (truncated after 16 characters) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aname[1] retrieves the proc.name of the parent process, proc.aname[2] retrieves the proc.name of the grandparent process, and so on. The current process's proc.name line can be obtained using proc.aname[0]. When used without any arguments, proc.aname is applicable only in filters and matches any of the process ancestors. For instance, you can use <code>proc.aname=bash</code> to match any process ancestor whose name is <code>bash</code>.</td> </tr> <tr> <td style="text-align: left"><code>proc.args</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The arguments passed on the command line when starting the process generating the event excluding argv[0] (truncated after 4096 bytes). This field is collected from the system call arguments, or as a fallback, extracted from /proc/PID/cmdline, can be accessed by specifying proc.args[INDEX], e.g., proc.args[0] or proc.args[1]. The indexing is zero-based, meaning proc.args[0] refers to the first command-line argument passed, rather than argv[0].</td> </tr> <tr> <td style="text-align: left"><code>proc.aargs</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The arguments passed on the command line when starting the process generating the event for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aargs[1] retrieves the arguments passed on the command line of the parent process, proc.aargs[2] retrieves the proc.args of the grandparent process, and so on. The current process's arguments passed on the command line can be obtained using proc.aargs[0]. When used without any arguments, proc.aargs is applicable only in filters and matches any of the process ancestors. For instance, you can use <code>proc.aargs contains base64</code> to match any process ancestor whose arguments passed on the command line contains the term base64.</td> </tr> <tr> <td style="text-align: left"><code>proc.cmdline</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The concatenation of <code>proc.name + proc.args</code> (truncated after 4096 bytes) when starting the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.pcmdline</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The proc.cmdline (full command line (proc.name + proc.args)) of the parent process.</td> </tr> <tr> <td style="text-align: left"><code>proc.acmdline</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full command line (proc.name + proc.args) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.acmdline[1] retrieves the full command line of the parent process, proc.acmdline[2] retrieves the proc.cmdline of the grandparent process, and so on. The current process's full command line can be obtained using proc.acmdline[0]. When used without any arguments, proc.acmdline is applicable only in filters and matches any of the process ancestors. For instance, you can use <code>proc.acmdline contains base64</code> to match any process ancestor whose command line contains the term base64.</td> </tr> <tr> <td style="text-align: left"><code>proc.cmdnargs</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">The number of command line args (proc.args).</td> </tr> <tr> <td style="text-align: left"><code>proc.cmdlenargs</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">The total count of characters / length of the command line args (proc.args) combined excluding whitespaces between args.</td> </tr> <tr> <td style="text-align: left"><code>proc.exeline</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full command line, with exe as first argument (proc.exe + proc.args) when starting the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.env</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The environment variables of the process generating the event as concatenated string 'ENV_NAME=value ENV_NAME1=value1'. Can also be used to extract the value of a known env variable, e.g. proc.env[ENV_NAME].</td> </tr> <tr> <td style="text-align: left"><code>proc.aenv</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">[EXPERIMENTAL] This field can be used in three flavors: (1) as a filter checking all parents, e.g. 'proc.aenv contains xyz', which is similar to the familiar 'proc.aname contains xyz' approach, (2) checking the <code>proc.env</code> of a specified level of the parent, e.g. 'proc.aenv[2]', which is similar to the familiar 'proc.aname[2]' approach, or (3) checking the first matched value of a known ENV_NAME in the parent lineage, such as 'proc.aenv[ENV_NAME]' (across a max of 20 ancestor levels). This field may be deprecated or undergo breaking changes in future releases. Please use it with caution.</td> </tr> <tr> <td style="text-align: left"><code>proc.cwd</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The current working directory of the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.loginshellid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate different user sessions.</td> </tr> <tr> <td style="text-align: left"><code>proc.tty</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">The controlling terminal of the process. 0 for processes without a terminal.</td> </tr> <tr> <td style="text-align: left"><code>proc.pid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The id of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.ppid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The pid of the parent of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.apid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The pid for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.apid[1] retrieves the pid of the parent process, proc.apid[2] retrieves the pid of the grandparent process, and so on. The current process's pid can be obtained using proc.apid[0]. When used without any arguments, proc.apid is applicable only in filters and matches any of the process ancestors. For instance, you can use <code>proc.apid=1337</code> to match any process ancestor whose pid is equal to 1337.</td> </tr> <tr> <td style="text-align: left"><code>proc.vpid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The id of the process generating the event as seen from its current PID namespace.</td> </tr> <tr> <td style="text-align: left"><code>proc.pvpid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The id of the parent process generating the event as seen from its current PID namespace.</td> </tr> <tr> <td style="text-align: left"><code>proc.sid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The session id of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.sname</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The name of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process.</td> </tr> <tr> <td style="text-align: left"><code>proc.sid.exe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The first command line argument argv[0] (usually the executable name or a custom one) of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process.</td> </tr> <tr> <td style="text-align: left"><code>proc.sid.exepath</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full executable path of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process.</td> </tr> <tr> <td style="text-align: left"><code>proc.vpgid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The process group id of the process generating the event, as seen from its current PID namespace.</td> </tr> <tr> <td style="text-align: left"><code>proc.vpgid.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The name of the current process's process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of <code>proc.is_vpgid_leader</code> offers additional insights.</td> </tr> <tr> <td style="text-align: left"><code>proc.vpgid.exe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The first command line argument argv[0] (usually the executable name or a custom one) of the current process's process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of <code>proc.is_vpgid_leader</code> offers additional insights.</td> </tr> <tr> <td style="text-align: left"><code>proc.vpgid.exepath</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full executable path of the current process's process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of <code>proc.is_vpgid_leader</code> offers additional insights.</td> </tr> <tr> <td style="text-align: left"><code>proc.pgid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The process group id of the process generating the event, as seen from host PID namespace.</td> </tr> <tr> <td style="text-align: left"><code>proc.pgid.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The name of the current process's process group leader. This is either the process with proc.pgid == proc.pid or the eldest ancestor that has the same pgid as the current process. The description of <code>proc.is_pgid_leader</code> offers additional insights.</td> </tr> <tr> <td style="text-align: left"><code>proc.pgid.exe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The first command line argument argv[0] (usually the executable name or a custom one) of the current process's process group leader. This is either the process with proc.pgid == proc.pid or the eldest ancestor that has the same pgid as the current process. The description of <code>proc.is_pgid_leader</code> offers additional insights.</td> </tr> <tr> <td style="text-align: left"><code>proc.pgid.exepath</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full executable path of the current process's process group leader. This is either the process with proc.pgid == proc.pid or the eldest ancestor that has the same pgid as the current process. The description of <code>proc.is_pgid_leader</code> offers additional insights.</td> </tr> <tr> <td style="text-align: left"><code>proc.duration</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">Number of nanoseconds since the process started.</td> </tr> <tr> <td style="text-align: left"><code>proc.ppid.duration</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">Number of nanoseconds since the parent process started.</td> </tr> <tr> <td style="text-align: left"><code>proc.pid.ts</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">Start of process as epoch timestamp in nanoseconds.</td> </tr> <tr> <td style="text-align: left"><code>proc.ppid.ts</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">Start of parent process as epoch timestamp in nanoseconds.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_exe_writable</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process' executable file is writable by the same user that spawned the process.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_exe_upper_layer</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process' executable file is in upper layer in overlayfs. This field value can only be trusted if the underlying kernel version is greater or equal than 3.18.0, since overlayfs was introduced at that time.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_exe_lower_layer</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process' executable file is in lower layer in overlayfs. This field value can only be trusted if the underlying kernel version is greater or equal than 3.18.0, since overlayfs was introduced at that time.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_exe_from_memfd</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the executable file of the current process is an anonymous file created using memfd_create() and is being executed by referencing its file descriptor (fd). This type of file exists only in memory and not on disk. Relevant to detect malicious in-memory code injection. Requires kernel version greater or equal to 3.17.0.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_sid_leader</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process is the leader of the process session, proc.sid == proc.vpid. For host processes vpid reflects pid.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_vpgid_leader</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process is the leader of the virtual process group, proc.vpgid == proc.vpid. For host processes vpgid and vpid reflect pgid and pid. Can help to distinguish if the process was 'directly' executed for instance in a tty (similar to bash history logging, <code>is_vpgid_leader</code> would be 'true') or executed as descendent process in the same process group which for example is the case when subprocesses are spawned from a script (<code>is_vpgid_leader</code> would be 'false').</td> </tr> <tr> <td style="text-align: left"><code>proc.is_pgid_leader</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process is the leader of the process group, proc.pgid == proc.pid. Can help to distinguish if the process was 'directly' executed for instance in a tty (similar to bash history logging, <code>is_pgid_leader</code> would be 'true') or executed as descendent process in the same process group which for example is the case when subprocesses are spawned from a script (<code>is_pgid_leader</code> would be 'false').</td> </tr> <tr> <td style="text-align: left"><code>proc.exe_ino</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The inode number of the executable file on disk. Can be correlated with fd.ino.</td> </tr> <tr> <td style="text-align: left"><code>proc.exe_ino.ctime</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">Last status change time of executable file (inode-&gt;ctime) as epoch timestamp in nanoseconds. Time is changed by writing or by setting inode information e.g. owner, group, link count, mode etc.</td> </tr> <tr> <td style="text-align: left"><code>proc.exe_ino.mtime</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">Last modification time of executable file (inode-&gt;mtime) as epoch timestamp in nanoseconds. Time is changed by file modifications, e.g. by mknod, truncate, utime, write of more than zero bytes etc. For tracking changes in owner, group, link count or mode, use proc.exe_ino.ctime instead.</td> </tr> <tr> <td style="text-align: left"><code>proc.exe_ino.ctime_duration_proc_start</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">Number of nanoseconds between modifying status of executable image and spawning a new process using the changed executable image.</td> </tr> <tr> <td style="text-align: left"><code>proc.exe_ino.ctime_duration_pidns_start</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">Number of nanoseconds between PID namespace start ts and ctime exe file if PID namespace start predates ctime.</td> </tr> <tr> <td style="text-align: left"><code>proc.pidns_init_start_ts</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Start of PID namespace (container or non container pid namespace) as epoch timestamp in nanoseconds.</td> </tr> <tr> <td style="text-align: left"><code>thread.cap_permitted</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The permitted capabilities set</td> </tr> <tr> <td style="text-align: left"><code>thread.cap_inheritable</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The inheritable capabilities set</td> </tr> <tr> <td style="text-align: left"><code>thread.cap_effective</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The effective capabilities set</td> </tr> <tr> <td style="text-align: left"><code>proc.fdopencount</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Number of open FDs for the process</td> </tr> <tr> <td style="text-align: left"><code>proc.fdlimit</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">Maximum number of FDs the process can open.</td> </tr> <tr> <td style="text-align: left"><code>proc.fdusage</code></td> <td style="text-align: left">DOUBLE</td> <td style="text-align: left">The ratio between open FDs and maximum available FDs for the process.</td> </tr> <tr> <td style="text-align: left"><code>proc.vmsize</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Total virtual memory for the process (as kb).</td> </tr> <tr> <td style="text-align: left"><code>proc.vmrss</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Resident non-swapped memory for the process (as kb).</td> </tr> <tr> <td style="text-align: left"><code>proc.vmswap</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Swapped memory for the process (as kb).</td> </tr> <tr> <td style="text-align: left"><code>thread.pfmajor</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Number of major page faults since thread start.</td> </tr> <tr> <td style="text-align: left"><code>thread.pfminor</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">Number of minor page faults since thread start.</td> </tr> <tr> <td style="text-align: left"><code>thread.tid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The id of the thread generating the event.</td> </tr> <tr> <td style="text-align: left"><code>thread.ismain</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the thread generating the event is the main one in the process.</td> </tr> <tr> <td style="text-align: left"><code>thread.vtid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">The id of the thread generating the event as seen from its current PID namespace.</td> </tr> <tr> <td style="text-align: left"><code>thread.exectime</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">CPU time spent by the last scheduled thread, in nanoseconds. Exported by switch events only.</td> </tr> <tr> <td style="text-align: left"><code>thread.totexectime</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">Total CPU time, in nanoseconds since the beginning of the capture, for the current thread. Exported by switch events only.</td> </tr> <tr> <td style="text-align: left"><code>thread.cgroups</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">All cgroups the thread belongs to, aggregated into a single string.</td> </tr> <tr> <td style="text-align: left"><code>thread.cgroup</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The cgroup the thread belongs to, for a specific subsystem. e.g. thread.cgroup.cpuacct.</td> </tr> <tr> <td style="text-align: left"><code>proc.nthreads</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">The number of alive threads that the process generating the event currently has, including the leader thread. Please note that the leader thread may not be here, in that case 'proc.nthreads' and 'proc.nchilds' are equal</td> </tr> <tr> <td style="text-align: left"><code>proc.nchilds</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">The number of alive not leader threads that the process generating the event currently has. This excludes the leader thread.</td> </tr> <tr> <td style="text-align: left"><code>thread.cpu</code></td> <td style="text-align: left">DOUBLE</td> <td style="text-align: left">The CPU consumed by the thread in the last second.</td> </tr> <tr> <td style="text-align: left"><code>thread.cpu.user</code></td> <td style="text-align: left">DOUBLE</td> <td style="text-align: left">The user CPU consumed by the thread in the last second.</td> </tr> <tr> <td style="text-align: left"><code>thread.cpu.system</code></td> <td style="text-align: left">DOUBLE</td> <td style="text-align: left">The system CPU consumed by the thread in the last second.</td> </tr> <tr> <td style="text-align: left"><code>thread.vmsize</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">For the process main thread, this is the total virtual memory for the process (as kb). For the other threads, this field is zero.</td> </tr> <tr> <td style="text-align: left"><code>thread.vmrss</code></td> <td style="text-align: left">UINT64</td> <td style="text-align: left">For the process main thread, this is the resident non-swapped memory for the process (as kb). For the other threads, this field is zero.</td> </tr> <tr> <td style="text-align: left"><code>proc.stdin.type</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The type of file descriptor 0, corresponding to stdin, of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.stdout.type</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The type of file descriptor 1, corresponding to stdout, of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.stderr.type</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The type of file descriptor 2, corresponding to stderr, of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.stdin.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The name of the file descriptor 0, corresponding to stdin, of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.stdout.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The name of the file descriptor 1, corresponding to stdout, of the process generating the event.</td> </tr> <tr> <td style="text-align: left"><code>proc.stderr.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The name of the file descriptor 2, corresponding to stderr, of the process generating the event.</td> </tr> </tbody> </table> <h3 id="field-class-user">Field Class: user</h3> <p>Information about the user executing the specific event.</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>user.uid</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">user ID.</td> </tr> <tr> <td style="text-align: left"><code>user.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">user name.</td> </tr> <tr> <td style="text-align: left"><code>user.homedir</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">home directory of the user.</td> </tr> <tr> <td style="text-align: left"><code>user.shell</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">user's shell.</td> </tr> <tr> <td style="text-align: left"><code>user.loginuid</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">audit user id (auid), internally the loginuid is of type <code>uint32_t</code>. However, if an invalid uid corresponding to UINT32_MAX is encountered, it is returned as -1 to support familiar filtering conditions.</td> </tr> <tr> <td style="text-align: left"><code>user.loginname</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">audit user name (auid).</td> </tr> </tbody> </table> <h3 id="field-class-group">Field Class: group</h3> <p>Information about the user group.</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>group.gid</code></td> <td style="text-align: left">UINT32</td> <td style="text-align: left">group ID.</td> </tr> <tr> <td style="text-align: left"><code>group.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">group name.</td> </tr> </tbody> </table> <h3 id="field-class-fd">Field Class: fd</h3> <p>Every syscall that has a file descriptor in its arguments has these fields set with information related to the file.</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>fd.num</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">the unique number identifying the file descriptor.</td> </tr> <tr> <td style="text-align: left"><code>fd.type</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' 'signalfd' or 'memfd'.</td> </tr> <tr> <td style="text-align: left"><code>fd.typechar</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">type of FD as a single character. Can be 'f' for file, 4 for IPv4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for inotify, 'b' for bpf, 'u' for userfaultd, 'r' for io_uring, 'm' for memfd ,'o' for unknown.</td> </tr> <tr> <td style="text-align: left"><code>fd.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple.</td> </tr> <tr> <td style="text-align: left"><code>fd.directory</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">If the fd is a file, the directory that contains it.</td> </tr> <tr> <td style="text-align: left"><code>fd.filename</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">If the fd is a file, the filename without the path.</td> </tr> <tr> <td style="text-align: left"><code>fd.ip</code></td> <td style="text-align: left">IPADDR</td> <td style="text-align: left">matches the ip address (client or server) of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.cip</code></td> <td style="text-align: left">IPADDR</td> <td style="text-align: left">client IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.sip</code></td> <td style="text-align: left">IPADDR</td> <td style="text-align: left">server IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.lip</code></td> <td style="text-align: left">IPADDR</td> <td style="text-align: left">local IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.rip</code></td> <td style="text-align: left">IPADDR</td> <td style="text-align: left">remote IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.port</code></td> <td style="text-align: left">PORT</td> <td style="text-align: left">matches the port (either client or server) of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.cport</code></td> <td style="text-align: left">PORT</td> <td style="text-align: left">for TCP/UDP FDs, the client port.</td> </tr> <tr> <td style="text-align: left"><code>fd.sport</code></td> <td style="text-align: left">PORT</td> <td style="text-align: left">for TCP/UDP FDs, server port.</td> </tr> <tr> <td style="text-align: left"><code>fd.lport</code></td> <td style="text-align: left">PORT</td> <td style="text-align: left">for TCP/UDP FDs, the local port.</td> </tr> <tr> <td style="text-align: left"><code>fd.rport</code></td> <td style="text-align: left">PORT</td> <td style="text-align: left">for TCP/UDP FDs, the remote port.</td> </tr> <tr> <td style="text-align: left"><code>fd.l4proto</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">the IP protocol of a socket. Can be 'tcp', 'udp', 'icmp' or 'raw'.</td> </tr> <tr> <td style="text-align: left"><code>fd.sockfamily</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">the socket family for socket events. Can be 'ip' or 'unix'.</td> </tr> <tr> <td style="text-align: left"><code>fd.is_server</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the process owning this FD is the server endpoint in the connection.</td> </tr> <tr> <td style="text-align: left"><code>fd.uid</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">a unique identifier for the FD, created by chaining the FD number and the thread ID.</td> </tr> <tr> <td style="text-align: left"><code>fd.containername</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">chaining of the container ID and the FD name. Useful when trying to identify which container an FD belongs to.</td> </tr> <tr> <td style="text-align: left"><code>fd.containerdirectory</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">chaining of the container ID and the directory name. Useful when trying to identify which container a directory belongs to.</td> </tr> <tr> <td style="text-align: left"><code>fd.proto</code></td> <td style="text-align: left">PORT</td> <td style="text-align: left">matches the protocol (either client or server) of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.cproto</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for TCP/UDP FDs, the client protocol.</td> </tr> <tr> <td style="text-align: left"><code>fd.sproto</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for TCP/UDP FDs, server protocol.</td> </tr> <tr> <td style="text-align: left"><code>fd.lproto</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for TCP/UDP FDs, the local protocol.</td> </tr> <tr> <td style="text-align: left"><code>fd.rproto</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for TCP/UDP FDs, the remote protocol.</td> </tr> <tr> <td style="text-align: left"><code>fd.net</code></td> <td style="text-align: left">IPNET</td> <td style="text-align: left">matches the IP network (client or server) of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.cnet</code></td> <td style="text-align: left">IPNET</td> <td style="text-align: left">matches the client IP network of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.snet</code></td> <td style="text-align: left">IPNET</td> <td style="text-align: left">matches the server IP network of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.lnet</code></td> <td style="text-align: left">IPNET</td> <td style="text-align: left">matches the local IP network of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.rnet</code></td> <td style="text-align: left">IPNET</td> <td style="text-align: left">matches the remote IP network of the fd.</td> </tr> <tr> <td style="text-align: left"><code>fd.connected</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">for TCP/UDP FDs, 'true' if the socket is connected.</td> </tr> <tr> <td style="text-align: left"><code>fd.name_changed</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">True when an event changes the name of an fd used by this event. This can occur in some cases such as udp connections where the connection tuple changes.</td> </tr> <tr> <td style="text-align: left"><code>fd.cip.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Domain name associated with the client IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.sip.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Domain name associated with the server IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.lip.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Domain name associated with the local IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.rip.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Domain name associated with the remote IP address.</td> </tr> <tr> <td style="text-align: left"><code>fd.dev</code></td> <td style="text-align: left">INT32</td> <td style="text-align: left">device number (major/minor) containing the referenced file</td> </tr> <tr> <td style="text-align: left"><code>fd.dev.major</code></td> <td style="text-align: left">INT32</td> <td style="text-align: left">major device number containing the referenced file</td> </tr> <tr> <td style="text-align: left"><code>fd.dev.minor</code></td> <td style="text-align: left">INT32</td> <td style="text-align: left">minor device number containing the referenced file</td> </tr> <tr> <td style="text-align: left"><code>fd.ino</code></td> <td style="text-align: left">INT64</td> <td style="text-align: left">inode number of the referenced file</td> </tr> <tr> <td style="text-align: left"><code>fd.nameraw</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">FD full name raw. Just like fd.name, but only used if fd is a file path. File path is kept raw with limited sanitization and without deriving the absolute path.</td> </tr> <tr> <td style="text-align: left"><code>fd.types</code></td> <td style="text-align: left">LIST(CHARBUF)</td> <td style="text-align: left">List of FD types in used. Can be passed an fd number e.g. fd.types[0] to get the type of stdout as a single item list.</td> </tr> <tr> <td style="text-align: left"><code>fd.is_upper_layer</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the fd is of a file in the upper layer of an overlayfs.</td> </tr> <tr> <td style="text-align: left"><code>fd.is_lower_layer</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the fd is of a file in the lower layer of an overlayfs.</td> </tr> </tbody> </table> <h3 id="field-class-fs-path">Field Class: fs.path</h3> <p>Every syscall that has a filesystem path in its arguments has these fields set with information related to the path arguments. This differs from the fd.* fields as it includes syscalls like unlink, rename, etc. that act directly on filesystem paths as compared to opened file descriptors.</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>fs.path.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">For any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed.</td> </tr> <tr> <td style="text-align: left"><code>fs.path.nameraw</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">For any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved.</td> </tr> <tr> <td style="text-align: left"><code>fs.path.source</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">For any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed.</td> </tr> <tr> <td style="text-align: left"><code>fs.path.sourceraw</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">For any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved.</td> </tr> <tr> <td style="text-align: left"><code>fs.path.target</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">For any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed.</td> </tr> <tr> <td style="text-align: left"><code>fs.path.targetraw</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">For any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved.</td> </tr> </tbody> </table> <h3 id="field-class-fdlist">Field Class: fdlist</h3> <p>Poll event related fields.</p> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>fdlist.nums</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for poll events, this is a comma-separated list of the FD numbers in the 'fds' argument, returned as a string.</td> </tr> <tr> <td style="text-align: left"><code>fdlist.names</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for poll events, this is a comma-separated list of the FD names in the 'fds' argument, returned as a string.</td> </tr> <tr> <td style="text-align: left"><code>fdlist.cips</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for poll events, this is a comma-separated list of the client IP addresses in the 'fds' argument, returned as a string.</td> </tr> <tr> <td style="text-align: left"><code>fdlist.sips</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for poll events, this is a comma-separated list of the server IP addresses in the 'fds' argument, returned as a string.</td> </tr> <tr> <td style="text-align: left"><code>fdlist.cports</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for TCP/UDP FDs, for poll events, this is a comma-separated list of the client TCP/UDP ports in the 'fds' argument, returned as a string.</td> </tr> <tr> <td style="text-align: left"><code>fdlist.sports</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">for poll events, this is a comma-separated list of the server TCP/UDP ports in the 'fds' argument, returned as a string.</td> </tr> </tbody> </table> <h3 id="field-class-container-plugin">Field Class: container (plugin)</h3> <table> <thead> <tr> <th style="text-align: left">Name</th> <th style="text-align: left">Type</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>container.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The truncated container ID (first 12 characters), e.g. 3ad7b26ded6d is extracted from the Linux cgroups by Falco within the kernel. Consequently, this field is reliably available and serves as the lookup key for Falco's synchronous or asynchronous requests against the container runtime socket to retrieve all other 'container.<em>' information. One important aspect to be aware of is that if the process occurs on the host, meaning not in the container PID namespace, this field is set to a string called 'host'. In Kubernetes, pod sandbox container processes can exist where <code>container.id</code> matches <code>k8s.pod.sandbox_id</code>, lacking other 'container.</em>' details.</td> </tr> <tr> <td style="text-align: left"><code>container.full_id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full container ID, e.g. 3ad7b26ded6d8e7b23da7d48fe889434573036c27ae5a74837233de441c3601e. In contrast to <code>container.id</code>, we enrich this field as part of the container engine enrichment. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container name. In instances of userspace container engine lookup delays, this field may not be available yet. One important aspect to be aware of is that if the process occurs on the host, meaning not in the container PID namespace, this field is set to a string called 'host'.</td> </tr> <tr> <td style="text-align: left"><code>container.image</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container image name (e.g. falcosecurity/falco:latest for docker). In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.image.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container image id (e.g. 6f7e2741b66b). In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.type</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container type, e.g. docker, cri-o, containerd etc.</td> </tr> <tr> <td style="text-align: left"><code>container.privileged</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' for containers running as privileged, 'false' otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.mounts</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">A space-separated list of mount information. Each item in the list has the format 'source:dest:mode:rdrw:propagation'. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.mount</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Information about a single mount, specified by number (e.g. container.mount[0]) or mount source (container.mount[/usr/local]). The pathname can be a glob (container.mount[/usr/local/*]), in which case the first matching mount will be returned. The information has the format 'source:dest:mode:rdrw:propagation'. If there is no mount with the specified index or matching the provided source, returns the string &quot;none&quot; instead of a NULL value. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.mount.source</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The mount source, specified by number (e.g. container.mount.source[0]) or mount destination (container.mount.source[/host/lib/modules]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.mount.dest</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The mount destination, specified by number (e.g. container.mount.dest[0]) or mount source (container.mount.dest[/lib/modules]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.mount.mode</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The mount mode, specified by number (e.g. container.mount.mode[0]) or mount source (container.mount.mode[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.mount.rdwr</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The mount rdwr value, specified by number (e.g. container.mount.rdwr[0]) or mount source (container.mount.rdwr[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.mount.propagation</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The mount propagation value, specified by number (e.g. container.mount.propagation[0]) or mount source (container.mount.propagation[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.image.repository</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container image repository (e.g. falcosecurity/falco). In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.image.tag</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container image tag (e.g. stable, latest). In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.image.digest</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container image registry digest (e.g. sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27). In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.healthcheck</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container's health check. Will be the null value (&quot;N/A&quot;) if no healthcheck configured, &quot;NONE&quot; if configured but explicitly not created, and the healthcheck command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.liveness_probe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container's liveness probe. Will be the null value (&quot;N/A&quot;) if no liveness probe configured, the liveness probe command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.readiness_probe</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container's readiness probe. Will be the null value (&quot;N/A&quot;) if no readiness probe configured, the readiness probe command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.start_ts</code></td> <td style="text-align: left">ABSTIME</td> <td style="text-align: left">Container start as epoch timestamp in nanoseconds based on proc.pidns_init_start_ts and extracted in the kernel and not from the container runtime socket / container engine.</td> </tr> <tr> <td style="text-align: left"><code>container.duration</code></td> <td style="text-align: left">RELTIME</td> <td style="text-align: left">Number of nanoseconds since container.start_ts.</td> </tr> <tr> <td style="text-align: left"><code>container.ip</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container's / pod's primary ip address as retrieved from the container engine. Only ipv4 addresses are tracked. Consider container.cni.json (CRI use case) for logging ip addresses for each network interface. In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.cni.json</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The container's / pod's CNI result field from the respective pod status info. It contains ip addresses for each network interface exposed as unparsed escaped JSON string. Supported for CRI container engine (containerd, cri-o runtimes), optimized for containerd (some non-critical JSON keys removed). Useful for tracking ips (ipv4 and ipv6, dual-stack support) for each network interface (multi-interface support). In instances of userspace container engine lookup delays, this field may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>container.host_pid</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the container is running in the host PID namespace, 'false' otherwise.</td> </tr> <tr> <td style="text-align: left"><code>container.host_network</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the container is running in the host network namespace, 'false' otherwise.</td> </tr> <tr> <td style="text-align: left"><code>container.host_ipc</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if the container is running in the host IPC namespace, 'false' otherwise.</td> </tr> <tr> <td style="text-align: left"><code>container.label</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Container label. E.g. 'container.label.foo'.</td> </tr> <tr> <td style="text-align: left"><code>container.labels</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Container comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_container_healthcheck</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process is running as a part of the container's health check.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_container_liveness_probe</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process is running as a part of the container's liveness probe.</td> </tr> <tr> <td style="text-align: left"><code>proc.is_container_readiness_probe</code></td> <td style="text-align: left">BOOL</td> <td style="text-align: left">'true' if this process is running as a part of the container's readiness probe.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The Kubernetes pod name. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.ns.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The Kubernetes namespace name. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">[LEGACY] The Kubernetes pod UID, e.g. 3e41dc6b-08a8-44db-bc2a-3724b18ab19a. This legacy field points to <code>k8s.pod.uid</code>; however, the pod ID typically refers to the pod sandbox ID. We recommend using the semantically more accurate <code>k8s.pod.uid</code> field. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.uid</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The Kubernetes pod UID, e.g. 3e41dc6b-08a8-44db-bc2a-3724b18ab19a. Note that the pod UID is a unique identifier assigned upon pod creation within Kubernetes, allowing the Kubernetes control plane to manage and track pods reliably. As such, it is fundamentally a different concept compared to the pod sandbox ID. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.sandbox_id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The truncated Kubernetes pod sandbox ID (first 12 characters), e.g 63060edc2d3a. The sandbox ID is specific to the container runtime environment. It is the equivalent of the container ID for the pod / sandbox and extracted from the Linux cgroups. As such, it differs from the pod UID. This field is extracted from the container runtime socket simultaneously as we look up the 'container.<em>' fields. In cases of lookup delays, it may not be available yet. In Kubernetes, pod sandbox container processes can exist where <code>container.id</code> matches <code>k8s.pod.sandbox_id</code>, lacking other 'container.</em>' details.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.full_sandbox_id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The full Kubernetes pod / sandbox ID, e.g 63060edc2d3aa803ab559f2393776b151f99fc5b05035b21db66b3b62246ad6a. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.label</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The Kubernetes pod label. The label can be accessed either with the familiar brackets notation, e.g. 'k8s.pod.label[foo]' or by appending a dot followed by the name, e.g. 'k8s.pod.label.foo'. The label name itself can include the original special characters such as '.', '-', '_' or '/' characters. For instance, 'k8s.pod.label[app.kubernetes.io/name]', 'k8s.pod.label.app.kubernetes.io/name' or 'k8s.pod.label[custom-label_one]' are all valid. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.labels</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The Kubernetes pod comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.ip</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The Kubernetes pod ip, same as container.ip field as each container in a pod shares the network stack of the sandbox / pod. Only ipv4 addresses are tracked. Consider k8s.pod.cni.json for logging ip addresses for each network interface. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.pod.cni.json</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">The Kubernetes pod CNI result field from the respective pod status info, same as container.cni.json field. It contains ip addresses for each network interface exposed as unparsed escaped JSON string. Supported for CRI container engine (containerd, cri-o runtimes), optimized for containerd (some non-critical JSON keys removed). Useful for tracking ips (ipv4 and ipv6, dual-stack support) for each network interface (multi-interface support). This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rc.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rc.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rc.label</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rc.labels</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.svc.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.svc.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.svc.label</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.svc.labels</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.ns.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.ns.label</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.ns.labels</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rs.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rs.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rs.label</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.rs.labels</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.deployment.name</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.deployment.id</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.deployment.label</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> <tr> <td style="text-align: left"><code>k8s.deployment.labels</code></td> <td style="text-align: left">CHARBUF</td> <td style="text-align: left">Deprecated. Use <code>k8smeta</code> plugin instead.</td> </tr> </tbody> </table>https://v0-43--falcosecurity.netlify.app/docs/reference/rules/examples/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/reference/rules/examples/ <p>Here are some examples of the types of behavior falco can detect.</p> <p>For a more comprehensive set of examples, see the full rules file at <code>falco_rules.yaml</code>.</p> <h2 id="a-shell-is-run-in-a-container">A shell is run in a container</h2> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>container<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>container.id != host<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>spawned_process<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(evt.type in (execve, execveat))<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">rule</span>:<span style="color:#bbb"> </span>run_shell_in_container<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">desc</span>:<span style="color:#bbb"> </span>a shell was spawned by a non-shell program in a container. Container entrypoints are excluded.<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>container and proc.name = bash and spawned_process and proc.pname exists and not proc.pname in (bash, docker)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;Shell spawned in a container other than entrypoint | user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">priority</span>:<span style="color:#bbb"> </span>WARNING<span style="color:#bbb"> </span></span></span></code></pre></div> <h2 id="unexpected-outbound-elasticsearch-connection">Unexpected outbound Elasticsearch connection</h2> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>outbound<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>syscall.type=connect and (fd.typechar=4 or fd.typechar=6)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>elasticsearch_cluster_port<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>fd.sport=9300<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">rule</span>:<span style="color:#bbb"> </span>elasticsearch_unexpected_network_outbound<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">desc</span>:<span style="color:#bbb"> </span>outbound network traffic from elasticsearch on a port other than the standard ports<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>user.name = elasticsearch and outbound and not elasticsearch_cluster_port<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;Outbound network traffic from Elasticsearch on unexpected port | connection=%fd.name&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">priority</span>:<span style="color:#bbb"> </span>WARNING<span style="color:#bbb"> </span></span></span></code></pre></div> <h2 id="write-to-directory-holding-system-binaries">Write to directory holding system binaries</h2> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>open_write<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>&gt;<span style="color:#b44;font-style:italic"> </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (evt.type=open or evt.type=openat) and </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> fd.typechar=&#39;f&#39; and </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> (evt.arg.flags contains O_WRONLY or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> evt.arg.flags contains O_RDWR or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> evt.arg.flags contains O_CREAT or </span></span></span><span style="display:flex;"><span><span style="color:#b44;font-style:italic"> evt.arg.flags contains O_TRUNC)</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>package_mgmt_binaries<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>proc.name in (dpkg, dpkg-preconfigu, rpm, rpmkey, yum)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">macro</span>:<span style="color:#bbb"> </span>bin_dir<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">rule</span>:<span style="color:#bbb"> </span>write_binary_dir<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">desc</span>:<span style="color:#bbb"> </span>an attempt to write to any file below a set of binary directories<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>open_write and not package_mgmt_binaries and bin_dir<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;File below a known binary directory opened for writing | user=%user.name command=%proc.cmdline file=%fd.name&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">priority</span>:<span style="color:#bbb"> </span>WARNING<span style="color:#bbb"> </span></span></span></code></pre></div> <h2 id="non-authorized-container-namespace-change">Non-authorized container namespace change</h2> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">rule</span>:<span style="color:#bbb"> </span>change_thread_namespace<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">desc</span>:<span style="color:#bbb"> </span>an attempt to change a program/thread\&#39;s namespace (commonly done as a part of creating a container) by calling setns.<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>syscall.type = setns and not proc.name in (docker, sysdig, dragent)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;Namespace change (setns) by unexpected program | user=%user.name command=%proc.cmdline container=%container.id&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">priority</span>:<span style="color:#bbb"> </span>WARNING<span style="color:#bbb"> </span></span></span></code></pre></div> <h2 id="non-device-files-written-in-dev-some-rootkits-do-this">Non-device files written in /dev (some rootkits do this)</h2> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">rule</span>:<span style="color:#bbb"> </span>create_files_below_dev<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">desc</span>:<span style="color:#bbb"> </span>creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;File created below /dev by untrusted program | user=%user.name command=%proc.cmdline file=%fd.name&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">priority</span>:<span style="color:#bbb"> </span>WARNING<span style="color:#bbb"> </span></span></span></code></pre></div> <h2 id="process-other-than-skype-webex-tries-to-access-camera">Process other than skype/webex tries to access camera</h2> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">rule</span>:<span style="color:#bbb"> </span>access_camera<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">desc</span>:<span style="color:#bbb"> </span>a process other than skype/webex tries to access the camera<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">condition</span>:<span style="color:#bbb"> </span>evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span>Unexpected process opening camera video device | command=%proc.cmdline<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">priority</span>:<span style="color:#bbb"> </span>WARNING<span style="color:#bbb"> </span></span></span></code></pre></div>https://v0-43--falcosecurity.netlify.app/docs/reference/rules/default-rules/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/reference/rules/default-rules/ <p>Falco provides default rules maintained by the maintainers with contributions from the community. More information on this <a href="https://v0-43--falcosecurity.netlify.app/docs/rules/default-custom/">page</a>.</p> <p>This list presents the default rules based on syscall events.</p> <div class="card card-sm pageinfo pageinfo-info my-4"> <div class="card-body"> <div class="card-text"> <p>By default, only the <code>stable</code> rules are loaded by Falco, you can install the <code>sandbox</code> or <code>incubating</code> rules by referencing them in the Helm chart:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set <span style="color:#b44">&#34;falcoctl.config.artifact.install.refs={falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4}&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set <span style="color:#b44">&#34;falcoctl.config.artifact.follow.refs={falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4}&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set <span style="color:#b44">&#34;falco.rules_files={/etc/falco/k8s_audit_rules.yaml,/etc/falco/rules.d,/etc/falco/falco_rules.yaml,/etc/falco/falco-incubating_rules.yaml,/etc/falco/falco-sandbox_rules.yaml}&#34;</span> </span></span></code></pre></div><p>Where the option <code>falcoctl.config.artifact.install.refs</code> governs which rules are downloaded at startup, <code>falcoctl.config.artifact.follow.refs</code> identifies which rules are automatically updated and <code>falco.rules_files</code> indicates which rules are loaded by the engine.</p> </div> </div> </div> <p>You can find all the rules in their official <a href="https://github.com/falcosecurity/rules/blob/main/rules/">repository</a>.</p> <style> html { scroll-padding-top: 70px; } .collapsible { padding-top: 10px; padding-left: 10px; width: 100%; border: none; text-align: left; outline: none; font-weight: bold; font-size: 125%; background-color: #ffffff; } .collapsible:hover, .collapsible:active { background-color: #00aec7; font-weight: bold; } #search { width: 100%; padding: 12px 20px 12px 10px; border: 1px solid #ddd; margin-bottom: 12px; } .rule { background-color: #fff; padding-top: 10px; padding-left: 10px; padding-right: 10px; margin-left: 0px; display: none; overflow: hidden; border: solid; border-color: #00aec7; } .field { font-weight: bold; padding: 10px; } .chip { align-items: center; display: inline-flex; justify-content: center; background-color: #d1d5db; border-radius: 0.5rem; padding: 0.25rem 0.5rem; margin-bottom: 10px; } .small { font-size: 70%; float: right; margin-right: 5px; } .chip__content { margin-right: 0.25rem; } .priority, .status, .maturity { color: #fff; } .debug { background-color: #C62828; } .alert { background-color: #D32F2F; } .critical { background-color: #E53935; } .error { background-color: #FF5252; } .warning { background-color: #FB8C00; } .notice { background-color: #1976D2; } .info{ background-color: #03A9F4; } .debug { background-color: #29B6F6; } .enabled { background-color: #017f33; } .disabled { background-color: #cc0047d7; } .stable { background-color: #00c58a; } .incubating { background-color: #dd9f41; } .sandbox { background-color: #c57fff; } .deprecated { background-color: #ff3300; } .unknown { background-color: #818181; } </style> <div class="rules" id="rules"> <input type="text" id="search" onkeyup="search()" placeholder="Search for rules..."> <button type="button" class="collapsible" id=Disallowed_SSH_Connection> Disallowed SSH Connection <span class="status disabled chip small">disabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity deprecated chip small">deprecated</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect any new SSH connection on port 22 to a host other than those in an allowed list of hosts. This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound_outbound and ssh_port and not allowed_ssh_hosts </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Disallowed SSH Connection (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity deprecated chip"> deprecated</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_deprecated</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_lateral_movement</span> <span class="chip"> T1021.004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Disallowed_SSH_Connection /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Unexpected_outbound_connection_destination> Unexpected outbound connection destination <span class="status disabled chip small">disabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity deprecated chip small">deprecated</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect any outbound connection to a destination outside of an allowed set of ips, networks, or domain names. This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">outbound and not ((fd.sip in (allowed_outbound_destination_ipaddrs)) or (fd.snet in (allowed_outbound_destination_networks)) or (fd.sip.name in (allowed_outbound_destination_domains))) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Disallowed outbound connection destination (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity deprecated chip"> deprecated</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_deprecated</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_command_and_control</span> <span class="chip"> TA0011</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Unexpected_outbound_connection_destination /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Outbound_or_Inbound_Traffic_not_to_Authorized_Server_Process_and_Port> Outbound or Inbound Traffic not to Authorized Server Process and Port <span class="status disabled chip small">disabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity deprecated chip small">deprecated</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect traffic to an unauthorized server process and port within pre-defined containers. This rule absolutely requires profiling your environment beforehand and also necessitates adjusting the list of containers to which this rule will be applied. The current expression logic will never evaluate to true unless the list is populated. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound_outbound and container and container.image.repository in (allowed_image) and not proc.name in (authorized_server_binary) and not fd.sport in (authorized_server_port) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Network connection outside authorized port and binary (connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity deprecated chip"> deprecated</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_deprecated</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_discovery</span> <span class="chip"> TA0011</span> <span class="chip"> NIST_800-53_CM-7</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Outbound_or_Inbound_Traffic_not_to_Authorized_Server_Process_and_Port /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Outbound_Connection_to_C2_Servers> Outbound Connection to C2 Servers <span class="status disabled chip small">disabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity deprecated chip small">deprecated</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect outbound connections to command and control servers using a list of IP addresses and fully qualified domain names (FQDNs). This rule absolutely requires profiling your environment beforehand and also necessitates adjusting the template lists. The current expression logic will never evaluate to true unless the lists are populated. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise. Notably, this rule is challenging to operationalize. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">outbound and ((fd.sip in (c2_server_ip_list)) or (fd.sip.name in (c2_server_fqdn_list))) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Outbound connection to C2 server (c2_domain=%fd.sip.name c2_addr=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty %container.info)</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity deprecated chip"> deprecated</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_deprecated</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_command_and_control</span> <span class="chip"> TA0011</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Outbound_Connection_to_C2_Servers /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Modify_Shell_Configuration_File> Modify Shell Configuration File <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect attempts to modify shell configuration files, primarily aimed at establishing persistence by automatically inserting commands into scripts executed by shells. The upstream rule excludes shell processes because they often create unnecessary noise. However, this might lead to missed detections. To customize the rule for your situation, you can fine-tune it using enhanced profiling. For example, you might want to only consider interactive shell processes (where proc.tty != 0). </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and (fd.filename in (shell_config_filenames) or fd.name in (shell_config_files) or fd.directory in (shell_config_directories)) and not proc.name in (shell_binaries) and not exe_running_docker_save and not user_known_shell_config_modifiers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">A shell configuration file has been modified | file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1546.004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Modify_Shell_Configuration_File /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Schedule_Cron_Jobs> Schedule Cron Jobs <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect scheduled cron jobs; this is a highly generic detection and certainly needs adjustments and profiling in your environment before operationalization. Simultaneously, exploiting the functionality of cron jobs is among one of the oldest TTPs used by adversaries. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">((open_write and fd.name startswith /etc/cron) or (spawned_process and proc.name = &#34;crontab&#34;)) and not user_known_cron_jobs </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Cron jobs were scheduled to run | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1053.003</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Schedule_Cron_Jobs /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Read_ssh_information> Read ssh information <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule identifies attempts to read files within ssh directories using programs that are not related to ssh. It&#39;s a simple and versatile detection method that works well alongside more specific rules focused on sensitive file access. You have a couple of options for using this rule effectively: you can adjust the specialized rules to cover all the important scenarios and ensure precedence in rule smatching for those, or you can analyze the combined view of ssh-related file access across various rules on your downstream computing platform. Just like with other rules, you can narrow down monitoring to specific processes, or you can limit it to interactive access only. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">(open_read or open_directory) and (user_ssh_directory or fd.name startswith /root/.ssh) and not user_known_read_ssh_information_activities and not proc.name in (ssh_binaries) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">ssh-related file/directory read by non-ssh program | file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_collection</span> <span class="chip"> T1005</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Read_ssh_information /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=DB_program_spawned_process> DB program spawned process <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">A program related to the database server creates an unexpected child process (other than itself). This is not supposed to happen and often follows SQL injection attacks. This behavioral detection could indicate potential unauthorized data extraction or tampering with the database. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and proc.pname in (db_server_binaries) and not proc.name in (db_server_binaries) and not postgres_running_wal_e and not user_known_db_spawned_processes </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Database-related program spawned process other than itself | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> database</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1190</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#DB_program_spawned_process /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Change_thread_namespace> Change thread namespace <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">An attempt to alter the namespace of a process (often performed while creating a container) through the setns syscall. Conversely, the same syscall setns is triggered when an unauthorized attempt is made to break out from the container to the host, for example, when using commands like `nsenter --target 1` and similar ones. Recommending to profile your environment and refine this rule for effective operationalization. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type=setns and proc_name_exists and not (container.id=host and proc.name in (docker_binaries, k8s_binaries, lxd_binaries, nsenter)) and not proc.name in (sysdigcloud_binaries, sysdig, calico, oci-umount, cilium-cni, network_plugin_binaries) and not proc.name in (user_known_change_thread_namespace_binaries) and not proc.name startswith &#34;runc&#34; and not proc.cmdline startswith &#34;containerd&#34; and not proc.pname in (sysdigcloud_binaries, hyperkube, kubelet, protokube, dockerd, tini, aws) and not java_running_sdjagent and not kubelet_running_loopback and not rancher_agent and not rancher_network_manager and not calico_node and not weaveworks_scope and not user_known_change_thread_namespace_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Namespace change (setns) by unexpected program | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1611</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Change_thread_namespace /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Change_namespace_privileges_via_unshare> Change namespace privileges via unshare <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Unprivileged users in containers may not have CAP_SYS_ADMIN or other elevated privileges. However, they can use the unshare system call with CLONE_NEWNS or CLONE_NEWUSER to create or clone a namespace or user with the necessary privileges to conduct further attacks. It is best practice to block the unshare system call via seccomp if it is not needed. Misuse of unshare can be related to misconfigured Kubernetes clusters, for example. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type=unshare and container and not thread.cap_permitted contains CAP_SYS_ADMIN </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Change namespace privileges via unshare | res=%evt.res evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1611</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Change_namespace_privileges_via_unshare /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Privileged_Container> Launch Privileged Container <span class="status enabled chip small">enabled</span> <span class="priority info chip small">INFO</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect the initial process initiation within a privileged container, with exemptions for known and trusted images. This rule primarily serves as an excellent auditing mechanism since highly privileged containers, when compromised, can result in significant harm. For instance, if another rule triggers within such a privileged container, it could be seen as more suspicious, prompting a closer inspection. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">container_started and container.privileged=true and not falco_privileged_containers and not user_privileged_containers and not redhat_image </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Privileged container started | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority info chip"> INFO</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> cis</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1610</span> <span class="chip"> PCI_DSS_10.2.5</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Privileged_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Excessively_Capable_Container> Launch Excessively Capable Container <span class="status enabled chip small">enabled</span> <span class="priority info chip small">INFO</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Identify containers that start with a powerful set of capabilities, with exceptions for recognized trusted images. Similar to the &#34;Launch Privileged Container&#34; rule, this functions as a robust auditing rule. Compromised highly privileged containers can lead to substantial harm. For instance, if another rule is triggered within such a container, it might raise suspicion, prompting closer scrutiny. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">container_started and excessively_capable_container and not falco_privileged_containers and not user_privileged_containers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Excessively capable container started | cap_permitted=%thread.cap_permitted evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority info chip"> INFO</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> cis</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1610</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Excessively_Capable_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=System_procs_network_activity> System procs network activity <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect any unexpected network activity performed by system binaries that typically shouldn&#39;t perform network activity, including coreutils binaries (like sleep, mkdir, who, date, and others) or user management binaries (such as login, systemd, usermod, deluser, adduser, chpasswd, and others). This serves as a valuable baseline detection for network-related activities. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound_outbound and fd.sockfamily = ip and (system_procs or proc.name in (shell_binaries)) and not proc.name in (known_system_procs_network_activity_binaries) and not login_doing_dns_lookup and not user_expected_system_procs_network_activity_conditions </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Known system binary sent/received network traffic | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#System_procs_network_activity /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Program_run_with_disallowed_http_proxy_env> Program run with disallowed http proxy env <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect curl or wget usage with HTTP_PROXY environment variable. Attackers can manipulate the HTTP_PROXY variable&#39;s value to redirect application&#39;s internal HTTP requests. This could expose sensitive information like authentication keys and private data. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and http_proxy_procs and proc.env icontains HTTP_PROXY and not allowed_ssh_proxy_env </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Curl or wget run with disallowed HTTP_PROXY environment variable | env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> users</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1204</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Program_run_with_disallowed_http_proxy_env /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Unexpected_UDP_Traffic> Unexpected UDP Traffic <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detecting UDP traffic on ports other than 53 (DNS) or other commonly used ports. Misusing UDP is a known TTP among attackers. Monitoring unusual network activity is highly valuable but often generates significant noise, as is the case with this detection. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound_outbound and fd.l4proto=udp and not expected_udp_traffic </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Unexpected UDP Traffic Seen | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_exfiltration</span> <span class="chip"> TA0011</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Unexpected_UDP_Traffic /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Non_sudo_setuid> Non sudo setuid <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect attempts to change users through the use of setuid, with exceptions for sudo/su. The users &#34;root&#34; and &#34;nobody&#34; using setuid on themselves are also excluded, as setuid calls in these cases typically involve reducing privileges. By setting the setuid bit, an attacker could execute code in a different user&#39;s context, potentially with higher privileges. One drawback is the potential for noise, as many applications legitimately use this approach. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type=setuid and (known_user_in_container or not container) and not (user.name=root or user.uid=0) and not somebody_becoming_themselves and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries, nomachine_binaries) and not proc.name startswith &#34;runc:&#34; and not java_running_sdjagent and not nrpe_becoming_nagios and not user_known_non_sudo_setuid_conditions </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Unexpected setuid call by non-sudo, non-root program | arg_uid=%evt.arg.uid evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> users</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1548.001</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Non_sudo_setuid /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=User_mgmt_binaries> User mgmt binaries <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect activity by any programs that can manage users, passwords, or permissions (such as login, systemd, usermod, deluser, adduser, chpasswd, and others). sudo and su are excluded. Activity in containers is also excluded -- some containers create custom users on top of a base linux distribution at startup. Some innocuous command lines that don&#39;t actually change anything are excluded. You might want to consider applying this rule to container actions as well. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and not container and proc.name in (user_mgmt_binaries) and not proc.name in (su, sudo, lastlog, nologin, unix_chkpwd) and not proc.pname in (cron_binaries, systemd, systemd.postins, udev.postinst, run-parts) and not proc.cmdline startswith &#34;passwd -S&#34; and not proc.cmdline startswith &#34;useradd -D&#34; and not proc.cmdline startswith &#34;systemd --version&#34; and not run_by_qualys and not run_by_sumologic_securefiles and not run_by_yum and not run_by_ms_oms and not run_by_google_accounts_daemon and not chage_list and not user_known_user_management_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">User management binary command run outside of container | gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> users</span> <span class="chip"> software_mgmt</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1098</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#User_mgmt_binaries /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Create_files_below_dev> Create files below dev <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect the creation of files under /dev except for authorized device management programs. This can reveal rootkits hiding files in /dev. Additionally, consider the &#34;Execution from /dev/shm&#34; rule. The upstream rule already covers some tuning scenarios that you can further expand upon. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">(evt.type = creat or (evt.type in (open,openat,openat2))) and evt.arg.flags contains O_CREAT and fd.directory = /dev and not proc.name in (dev_creation_binaries) and not fd.name in (allowed_dev_files) and not fd.name startswith /dev/tty and not user_known_create_files_below_dev_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">File created below /dev by untrusted program | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1543</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Create_files_below_dev /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Contact_EC2_Instance_Metadata_Service_From_Container> Contact EC2 Instance Metadata Service From Container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detects attempts to communicate with the EC2 Instance Metadata Service from a container. This detection is narrowly focused and might not apply to your environment. In addition, it could generate noise and require fine-tuning. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">outbound and container and fd.sip=&#34;169.254.169.254&#34; and not ec2_metadata_containers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Outbound connection to EC2 instance metadata service | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> network</span> <span class="chip"> aws</span> <span class="chip"> container</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1552.005</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Contact_EC2_Instance_Metadata_Service_From_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Contact_cloud_metadata_service_from_container> Contact cloud metadata service from container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detects attempts to communicate with the Cloud Instance Metadata Service from a container. This detection is narrowly focused and might not apply to your environment. In addition, it could generate noise and require fine-tuning. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">outbound and container and fd.sip=&#34;169.254.169.254&#34; and not user_known_metadata_access </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Outbound connection to cloud instance metadata service | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> network</span> <span class="chip"> container</span> <span class="chip"> mitre_discovery</span> <span class="chip"> T1565</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Contact_cloud_metadata_service_from_container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Package_Management_Process_in_Container> Launch Package Management Process in Container <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect package management processes executed within containers. An excellent auditing rule to monitor general drifts in containers. Particularly useful for newer rules like &#34;Drop and execute new binary in container&#34; during incident response investigations. This helps identify common anti-patterns of ad-hoc debugging. Simultaneously, to maintain optimal hygiene, it&#39;s recommended to prevent container drifts and instead opt for redeploying new containers. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and user.name != &#34;_apt&#34; and package_mgmt_procs and not package_mgmt_ancestor_procs and not user_known_package_manager_in_container and not pkg_mgmt_in_kube_proxy </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Package management process launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> software_mgmt</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1505</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Package_Management_Process_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Suspicious_Network_Tool_in_Container> Launch Suspicious Network Tool in Container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect network tools (like netcat, nmap, tcpdump, socat, and more) launched within containers without any additional filters. This serves as a valuable general detection, but it&#39;s recommended to invest engineering effort to fine-tune it and prevent a high volume of legitimate logs. This rule complements the more specific &#34;Netcat Remote Code Execution in Container&#34; rule. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and network_tool_procs and not user_known_network_tool_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Network tool launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Suspicious_Network_Tool_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Suspicious_Network_Tool_on_Host> Launch Suspicious Network Tool on Host <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect network tools (like netcat, nmap, tcpdump, socat, and more) launched within containers without any additional filters. This serves as a valuable general detection, but it&#39;s recommended to invest engineering effort to fine-tune it and prevent a high volume of legitimate logs. The host equivalent of &#34;Launch Suspicious Network Tool in Container.&#34;. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and not container and network_tool_procs and not user_known_network_tool_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Network tool launched on host | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Suspicious_Network_Tool_on_Host /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Delete_or_rename_shell_history> Delete or rename shell history <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect shell history deletion, frequently used by unsophisticated adversaries to eliminate evidence. Note that it can also trigger when exiting a Terminal shell, such as with `kubectl exec`, which may introduce some noise. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">(modify_shell_history or truncate_shell_history) and not var_lib_docker_filepath and not proc.name in (docker_binaries) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Shell history deleted or renamed | file=%fd.name name=%evt.arg.name path=%evt.arg.path oldpath=%evt.arg.oldpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_defense_evasion</span> <span class="chip"> T1070</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Delete_or_rename_shell_history /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Set_Setuid_or_Setgid_bit> Set Setuid or Setgid bit <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule is focused on detecting the use of setuid or setgid bits set via chmod. These bits, when set for an application, result in the application running with the privileges of the owning user or group. By enabling the setuid or setgid bits, an attacker could run code in a different user&#39;s context, possibly with elevated privileges. However, there&#39;s a trade-off with noise, given that numerous applications legitimately run chmod. This rule is related to the &#34;Non sudo setuid&#34; rule. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">chmod and (evt.arg.mode contains &#34;S_ISUID&#34; or evt.arg.mode contains &#34;S_ISGID&#34;) and not proc.name in (user_known_chmod_applications) and not exe_running_docker_save and not user_known_set_setuid_or_setgid_bit_conditions </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Setuid or setgid bit is set via chmod | fd=%evt.arg.fd filename=%evt.arg.filename mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> users</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1548.001</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Set_Setuid_or_Setgid_bit /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Remote_File_Copy_Tools_in_Container> Launch Remote File Copy Tools in Container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect remote file copy tools (like rsync, scp, sftp, dcp) launched within a container, potentially indicating data exfiltration. Suggest refining this rule to accommodate legitimate use cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and remote_file_copy_procs and not user_known_remote_file_copy_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Remote file copy tool launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_exfiltration</span> <span class="chip"> T1020</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Remote_File_Copy_Tools_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Network_Connection_outside_Local_Subnet> Network Connection outside Local Subnet <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect network traffic (inbound or outbound) from a container to a destination outside the local subnet. To operationalize this rule, profile your environment and update the template macro namespace_scope_network_only_subnet. Customizing network-related rules usually demands substantial engineering effort to ensure their functionality. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound_outbound and container and k8s.ns.name in (namespace_scope_network_only_subnet) and not network_local_subnet </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Network connection outside local subnet | fd_rip_name=%fd.rip.name fd_lip_name=%fd.lip.name fd_cip_name=%fd.cip.name fd_sip_name=%fd.sip.name connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_discovery</span> <span class="chip"> T1046</span> <span class="chip"> PCI_DSS_6.4.2</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Network_Connection_outside_Local_Subnet /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Mount_Launched_in_Privileged_Container> Mount Launched in Privileged Container <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect filesystem mounts (using the mount binary) within a privileged container. Due to the elevated privileges, this action could be one of the TTPs used in an attempt to escape from a container to the host. This type of action is often preceded by reconnaissance activities, for which you can also create custom rules. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and container.privileged=true and proc.name=mount and not mount_info and not known_gke_mount_in_privileged_containers and not known_aks_mount_in_privileged_containers and not known_eks_mount_in_privileged_containers and not user_known_mount_in_privileged_containers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Mount was executed inside a privileged container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> cis</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1611</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Mount_Launched_in_Privileged_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Ingress_Remote_File_Copy_Tools_in_Container> Launch Ingress Remote File Copy Tools in Container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect ingress remote file copy tools (such as curl or wget) launched inside containers. This rule can be considered a valuable auditing tool, but it has the potential to generate notable noise and requires careful profiling before full operationalization. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and (ingress_remote_file_copy_procs or curl_download) and not user_known_ingress_remote_file_copy_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Ingress remote file copy tool launched in container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_command_and_control</span> <span class="chip"> TA0011</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Ingress_Remote_File_Copy_Tools_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Read_environment_variable_from_/proc_files> Read environment variable from /proc files <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">An attempt to read process environment variables from /proc files. The consequences are akin to accessing traditional sensitive files, as sensitive data, including secrets, might be stored in environment variables. Understanding your environment, such as identifying critical namespaces, and incorporating extra filtering statements to alert exclusively for those, can enhance the rule&#39;s effectiveness. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_read and container and (fd.name glob /proc/*/environ) and not proc.name in (known_binaries_to_read_environment_variables_from_proc_files) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Environment variables were retrieved from /proc files | file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> process</span> <span class="chip"> mitre_discovery</span> <span class="chip"> T1083</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Read_environment_variable_from_%2fproc_files /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Exfiltrating_Artifacts_via_Kubernetes_Control_Plane> Exfiltrating Artifacts via Kubernetes Control Plane <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect the copying of artifacts from a container&#39;s file system using the Kubernetes control plane (kubectl cp). This rule can identify potential exfiltration of application secrets from containers&#39; file systems, potentially revealing the outcomes of unauthorized access and control plane misuse via stolen identities (such as stolen credentials like Kubernetes serviceaccount tokens). Can be customized by the adopter to only monitor specific artifact paths, containers, or namespaces as needed. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_read and container and proc.name=tar and container_entrypoint and proc.tty=0 and not system_level_side_effect_artifacts_kubectl_cp </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Exfiltrating Artifacts via Kubernetes Control Plane | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_exfiltration</span> <span class="chip"> TA0010</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Exfiltrating_Artifacts_via_Kubernetes_Control_Plane /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Adding_ssh_keys_to_authorized_keys> Adding ssh keys to authorized_keys <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">After gaining access, attackers can modify the authorized_keys file to maintain persistence on a victim host. Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. This rules aims at detecting any modification to the authorized_keys file, that is usually located under the .ssh directory in any user&#39;s home directory. This rule complements the more generic auditing rule &#34;Read ssh information&#34; by specifically detecting the writing of new, potentially attacker-provided keys. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and (user_ssh_directory or fd.name startswith /root/.ssh) and fd.name endswith authorized_keys and not proc.name in (ssh_binaries) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Adding ssh keys to authorized_keys | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1098.004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Adding_ssh_keys_to_authorized_keys /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Potential_Local_Privilege_Escalation_via_Environment_Variables_Misuse> Potential Local Privilege Escalation via Environment Variables Misuse <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Process run with suspect environment variable that could be attempting privilege escalation. One use case is detecting the use of the GLIBC_TUNABLES environment variable, which could be used for privilege escalation on systems running vulnerable glibc versions. Only known and carefully profiled processes that legitimately exhibit this behavior should be excluded from this rule. This rule is expected to trigger on every attempt, even failed ones. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and glibc_tunables_env </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Process run with suspect environment variable which could be attempting privilege escalation | env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> users</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> TA0004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Potential_Local_Privilege_Escalation_via_Environment_Variables_Misuse /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Backdoored_library_loaded_into_SSHD_(CVE-2024-3094)> Backdoored library loaded into SSHD (CVE-2024-3094) <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule detects possible CVE-2024-3094 exploitation when the SSH daemon process loads a vulnerable version of the liblzma library. An attacker could exploit this to interfere with authentication in sshd via systemd, potentially compromising sensitive data or escalating their privileges.</code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_read and proc.name=sshd and (fd.name contains &#34;liblzma.so.5.6.0&#34; or fd.name contains &#34;liblzma.so.5.6.1&#34;) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">SSHD loaded a backdoored version of liblzma library %fd.name with parent %proc.pname and cmdline %proc.cmdline | process=%proc.name parent=%proc.pname file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid proc_exepath=%proc.exepath command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> mitre_initial_access</span> <span class="chip"> T1556</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Backdoored_library_loaded_into_SSHD_%28CVE-2024-3094%29 /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=BPF_Program_Not_Profiled> BPF Program Not Profiled <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity incubating chip small">incubating</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">BPF is a kernel technology that can be misused for malicious purposes, like &#34;Linux Kernel Module Injection&#34;. This rule should be considered an auditing rule to notify you of any unprofiled BPF tools running in your environment. However, it requires customization after profiling your environment. BPF-powered agents make bpf syscalls all the time, so this rule only sends logs for BPF_PROG_LOAD calls (bpf cmd=5) in the enter event. If you also want to log whether the syscall failed or succeeded, remove the direction filter and add the evt.arg.res_or_fd output field. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type=bpf and (evt.arg.cmd=5 or evt.arg.cmd=BPF_PROG_LOAD) and not bpf_profiled_procs </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">BPF Program Not Profiled | bpf_cmd=%evt.arg.cmd evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity incubating chip"> incubating</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_incubating</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> mitre_persistence</span> <span class="chip"> TA0003</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#BPF_Program_Not_Profiled /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Unexpected_inbound_connection_source> Unexpected inbound connection source <span class="status disabled chip small">disabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect any inbound connection from a source outside of an allowed set of ips, networks, or domain names. This rule absolutely requires profiling your environment beforehand. Network-based rules are extremely crucial in any security program, as they can often provide the only definitive evidence. However, effectively operationalizing them can be challenging due to the potential for noise. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound and not ((fd.cip in (allowed_inbound_source_ipaddrs)) or (fd.cnet in (allowed_inbound_source_networks)) or (fd.cip.name in (allowed_inbound_source_domains))) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Disallowed inbound connection source | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_command_and_control</span> <span class="chip"> TA0011</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Unexpected_inbound_connection_source /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Read_Shell_Configuration_File> Read Shell Configuration File <span class="status disabled chip small">disabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule detects attempts made by non-shell programs to read shell configuration files. It offers additional generic auditing. It serves as a baseline detection alert for unusual shell configuration file accesses. The rule &#34;Modify Shell Configuration File&#34; might be more relevant and adequate for your specific cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_read and (fd.filename in (shell_config_filenames) or fd.name in (shell_config_files) or fd.directory in (shell_config_directories)) and not proc.name in (shell_binaries) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">A shell configuration file was read by a non-shell program | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_discovery</span> <span class="chip"> T1546.004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Read_Shell_Configuration_File /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Update_Package_Repository> Update Package Repository <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule generically detects updates to package repositories and can be seen as an auditing measure. Recommend evaluating its relevance for your specific environment. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">((open_write and access_repositories) or (modify and modify_repositories)) and not package_mgmt_procs and not package_mgmt_ancestor_procs and not exe_running_docker_save and not user_known_update_package_registry </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Repository files get updated | newpath=%evt.arg.newpath file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1072</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Update_Package_Repository /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Write_below_binary_dir> Write below binary dir <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Trying to write to any file below specific binary directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and bin_dir and not package_mgmt_procs and not exe_running_docker_save and not python_running_get_pip and not python_running_ms_oms and not user_known_write_below_binary_dir_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">File below a known binary directory opened for writing | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1543</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Write_below_binary_dir /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Write_below_monitored_dir> Write below monitored dir <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Trying to write to any file below a set of monitored directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and monitored_dir and not package_mgmt_procs and not coreos_write_ssh_dir and not exe_running_docker_save and not python_running_get_pip and not python_running_ms_oms and not google_accounts_daemon_writing_ssh and not cloud_init_writing_ssh and not user_known_write_monitored_dir_conditions </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">File below a monitored directory opened for writing | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1543</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Write_below_monitored_dir /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Write_below_etc> Write below etc <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Trying to write to any file below /etc can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">write_etc_common</code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">File below /etc opened for writing | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1098</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Write_below_etc /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Write_below_root> Write below root <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Trying to write to any file directly below / or /root can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. Lastly, this rule stands out as potentially the noisiest one among rules related to &#34;write below. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and root_dir and proc_name_exists and not fd.name in (known_root_files) and not fd.directory pmatch (known_root_directories) and not exe_running_docker_save and not gugent_writing_guestagent_log and not dse_writing_tmp and not zap_writing_state and not airflow_writing_state and not rpm_writing_root_rpmdb and not maven_writing_groovy and not chef_writing_conf and not kubectl_writing_state and not cassandra_writing_state and not galley_writing_state and not calico_writing_state and not rancher_writing_root and not runc_writing_exec_fifo and not mysqlsh_writing_state and not known_root_conditions and not user_known_write_root_conditions and not user_known_write_below_root_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">File below / or /root opened for writing | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> TA0003</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Write_below_root /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Write_below_rpm_database> Write below rpm database <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Trying to write to the rpm database by any non-rpm related program can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and fd.name startswith /var/lib/rpm and not rpm_procs and not ansible_running_python and not python_running_chef and not exe_running_docker_save and not amazon_linux_running_python_yum and not user_known_write_rpm_database_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">rpm database opened for writing by a non-rpm program | file=%fd.name pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> software_mgmt</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1072</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Write_below_rpm_database /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Modify_binary_dirs> Modify binary dirs <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Trying to modify any file below a set of binary directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">modify and bin_dir_rename and not package_mgmt_procs and not exe_running_docker_save and not user_known_modify_bin_dir_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">File below known binary directory renamed/removed | file=%fd.name pcmdline=%proc.pcmdline evt_args=%evt.args evt_type=%evt.type evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_defense_evasion</span> <span class="chip"> T1222.002</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Modify_binary_dirs /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Mkdir_binary_dirs> Mkdir binary dirs <span class="status enabled chip small">enabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Trying to create a directory below a set of binary directories can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">mkdir and bin_dir_mkdir and not package_mgmt_procs and not user_known_mkdir_bin_dir_activities and not exe_running_docker_save </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Directory below known binary directory created | directory=%evt.arg.path evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1222.002</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Mkdir_binary_dirs /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Sensitive_Mount_Container> Launch Sensitive Mount Container <span class="status enabled chip small">enabled</span> <span class="priority info chip small">INFO</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect the initial process launched within a container that has a mount from a sensitive host directory (e.g. /proc). Exceptions are made for known trusted images. This rule holds value for generic auditing; however, its noisiness varies based on your environment. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">container_started and sensitive_mount and not falco_sensitive_mount_containers and not user_sensitive_mount_containers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Container with sensitive mount started | mounts=%container.mounts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority info chip"> INFO</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> cis</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1610</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Sensitive_Mount_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Launch_Disallowed_Container> Launch Disallowed Container <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect the initial process launched within a container that is not in a list of allowed containers. This rule holds value for generic auditing; however, this rule requires a good understanding of your setup and consistent effort to keep the list of allowed containers current. In some situations, this can be challenging to manage. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">container_started and not allowed_containers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Container started and not in allowed list | evt_type=%evt.type user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> mitre_lateral_movement</span> <span class="chip"> T1610</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Launch_Disallowed_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Interpreted_procs_inbound_network_activity> Interpreted procs inbound network activity <span class="status disabled chip small">disabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.). While it offers broad coverage and behavioral insights, operationalizing it effectively requires significant time and might result in a moderate level of noise. Suggesting customizing this rule to be more specific. For example, you could set it up to alert only for important namespaces after studying their usual behavior. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound and interpreted_procs </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Interpreted program received/listened for network traffic | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_exfiltration</span> <span class="chip"> TA0011</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Interpreted_procs_inbound_network_activity /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Interpreted_procs_outbound_network_activity> Interpreted procs outbound network activity <span class="status disabled chip small">disabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.). While it offers broad coverage and behavioral insights, operationalizing it effectively requires significant time and might result in a moderate level of noise. Suggesting customizing this rule to be more specific. For example, you could set it up to alert only for important namespaces after studying their usual behavior. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">outbound and interpreted_procs </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Interpreted program performed outgoing network connection | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_exfiltration</span> <span class="chip"> TA0011</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Interpreted_procs_outbound_network_activity /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Unexpected_K8s_NodePort_Connection> Unexpected K8s NodePort Connection <span class="status disabled chip small">disabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect attempts to utilize K8s NodePorts from a container. K8s NodePorts are accessible on the eth0 interface of each node, and they facilitate external traffic into a Kubernetes cluster. Attackers could misuse them for unauthorized access. The rule uses default port ranges, but check for custom ranges and make necessary adjustments. Also, consider tuning this rule as needed. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">inbound_outbound and container and fd.sport &gt;= 30000 and fd.sport &lt;= 32767 and not nodeport_containers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Unexpected K8s NodePort Connection | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> network</span> <span class="chip"> k8s</span> <span class="chip"> container</span> <span class="chip"> mitre_persistence</span> <span class="chip"> T1205.001</span> <span class="chip"> NIST_800-53_AC-6</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Unexpected_K8s_NodePort_Connection /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Create_Hidden_Files_or_Directories> Create Hidden Files or Directories <span class="status disabled chip small">disabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detecting hidden files or directories creation can serve as an auditing rule to track general system changes. Such rules can be noisy and challenging to interpret, particularly if your system frequently undergoes updates. However, careful profiling of your environment can transform this rule into an effective rule for detecting unusual behavior associated with system changes, including compliance-related cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">((modify and evt.arg.newpath contains &#34;/.&#34;) or (mkdir and evt.arg.path contains &#34;/.&#34;) or (open_write and evt.arg.flags contains &#34;O_CREAT&#34; and fd.name contains &#34;/.&#34; and not fd.name pmatch (exclude_hidden_directories))) and not user_known_create_hidden_file_activities and not exe_running_docker_save </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Hidden file or directory created | file=%fd.name newpath=%evt.arg.newpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_defense_evasion</span> <span class="chip"> T1564.001</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Create_Hidden_Files_or_Directories /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Detect_outbound_connections_to_common_miner_pool_ports> Detect outbound connections to common miner pool ports <span class="status disabled chip small">disabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Miners usually connect to miner pools using standard ports, and this rule flags such activity. Important: Falco currently sends DNS requests to resolve miner pool domains, which could trigger other alerts. Prior to enabling this rule, it&#39;s advised to ensure whether this is acceptable for your environment. This rule is specifically disabled for that reason. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">net_miner_pool and not trusted_images_query_miner_domain_dns </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Outbound connection to IP/Port flagged by https://cryptoioc.ch | ip=%fd.rip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_impact</span> <span class="chip"> T1496</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Detect_outbound_connections_to_common_miner_pool_ports /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Detect_crypto_miners_using_the_Stratum_protocol> Detect crypto miners using the Stratum protocol <span class="status enabled chip small">enabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Miners commonly specify the mining pool to connect to using a URI that starts with &#34;stratum&#43;tcp&#34;. However, this rule is highly specific to this technique, and matching command-line arguments can generally be bypassed quite easily. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and (proc.cmdline contains &#34;stratum&#43;tcp&#34; or proc.cmdline contains &#34;stratum2&#43;tcp&#34; or proc.cmdline contains &#34;stratum&#43;ssl&#34; or proc.cmdline contains &#34;stratum2&#43;ssl&#34;) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Possible miner running | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_impact</span> <span class="chip"> T1496</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Detect_crypto_miners_using_the_Stratum_protocol /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Kubernetes_Client_Tool_Launched_in_Container> Kubernetes Client Tool Launched in Container <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect the execution of a Kubernetes client tool (like docker, kubectl, crictl) within a container, which is typically not expected behavior. Although this rule targets container workloads, monitoring the use of tools like crictl on the host over interactive access could also be valuable for broader auditing objectives. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and not user_known_k8s_client_container_parens and proc.name in (k8s_client_binaries) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Kubernetes Client Tool Launched in Container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1610</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Kubernetes_Client_Tool_Launched_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Container_Drift_Detected_(chmod)> Container Drift Detected (chmod) <span class="status disabled chip small">disabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect new executables created within a container as a result of chmod. While this detection can generate significant noise, chmod usage is frequently linked to dropping and executing malicious implants. The newer rule &#34;Drop and execute new binary in container&#34; provides more precise detection of this TTP using unambiguous kernel signals. It is recommended to use the new rule. However, this rule might be more relevant for auditing if applicable in your environment, such as when chmod is used on files within the /tmp folder. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">chmod and container and evt.rawres&gt;=0 and ((evt.arg.mode contains &#34;S_IXUSR&#34;) or (evt.arg.mode contains &#34;S_IXGRP&#34;) or (evt.arg.mode contains &#34;S_IXOTH&#34;)) and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Drift detected (chmod), new executable created in a container | filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Container_Drift_Detected_%28chmod%29 /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Container_Drift_Detected_(open&#43;create)> Container Drift Detected (open&#43;create) <span class="status disabled chip small">disabled</span> <span class="priority error chip small">ERROR</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect new executables created within a container as a result of open&#43;create. The newer rule &#34;Drop and execute new binary in container&#34; provides more precise detection of this TTP using unambiguous kernel signals. It is recommended to use the new rule. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type in (open,openat,openat2,creat) and evt.rawres&gt;=0 and evt.is_open_exec=true and container and not runc_writing_exec_fifo and not runc_writing_var_lib_docker and not user_known_container_drift_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Drift detected (open&#43;create), new executable created in a container | filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority error chip"> ERROR</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Container_Drift_Detected_%28open%2bcreate%29 /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Container_Run_as_Root_User> Container Run as Root User <span class="status disabled chip small">disabled</span> <span class="priority info chip small">INFO</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Container detected running as the root user. This should be taken into account especially when policies disallow containers from running with root user privileges. Note that a root user in containers doesn&#39;t inherently possess extensive power, as modern container environments define privileges through Linux capabilities. To learn more, check out the rule &#34;Launch Privileged Container&#34;. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and proc.vpid=1 and user.uid=0 and not user_known_run_as_root_container </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Container launched with root user privilege | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority info chip"> INFO</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> users</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1610</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Container_Run_as_Root_User /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Sudo_Potential_Privilege_Escalation> Sudo Potential Privilege Escalation <span class="status enabled chip small">enabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Affecting sudo (&lt;= 1.9.5p2), there&#39;s a privilege escalation vulnerability. By executing sudo using the sudoedit -s or sudoedit -i command with a command-line argument that ends with a single backslash character, an unprivileged user can potentially escalate privileges to root. This rule is highly specific and might be bypassed due to potential issues with string matching on command line arguments. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and user.uid != 0 and (proc.name=sudoedit or proc.name = sudo) and (proc.args contains -s or proc.args contains -i or proc.args contains --login) and (proc.args contains &#34;\ &#34; or proc.args endswith \) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Detect Sudo Privilege Escalation Exploit (CVE-2021-3156) | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> users</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1548.003</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Sudo_Potential_Privilege_Escalation /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Unprivileged_Delegation_of_Page_Faults_Handling_to_a_Userspace_Process> Unprivileged Delegation of Page Faults Handling to a Userspace Process <span class="status enabled chip small">enabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect a successful unprivileged userfaultfd syscall, which could serve as an attack primitive for exploiting other vulnerabilities. To fine-tune this rule, consider using the template list &#34;user_known_userfaultfd_processes&#34;. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type = userfaultfd and user.uid != 0 and (evt.rawres &gt;= 0 or evt.res != -1) and not proc.name in (user_known_userfaultfd_processes) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">An userfaultfd syscall was successfully executed by an unprivileged user | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_defense_evasion</span> <span class="chip"> TA0005</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Unprivileged_Delegation_of_Page_Faults_Handling_to_a_Userspace_Process /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Polkit_Local_Privilege_Escalation_Vulnerability_(CVE-2021-4034)> Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034) <span class="status enabled chip small">enabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule detects attempts to exploit a privilege escalation vulnerability in Polkit&#39;s pkexec. Through the execution of specially crafted code, a local user can exploit this weakness to attain root privileges on a compromised system. This rule is highly specific in its scope. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and user.uid != 0 and proc.name=pkexec and proc.args = &#39;&#39;</code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) | args=%proc.args evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> users</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> TA0004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Polkit_Local_Privilege_Escalation_Vulnerability_%28CVE-2021-4034%29 /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Java_Process_Class_File_Download> Java Process Class File Download <span class="status disabled chip small">disabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detecting a Java process downloading a class file which could indicate a successful exploit of the log4shell Log4j vulnerability (CVE-2021-44228). This rule is highly specific in its scope. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">java_network_read and evt.buffer bcontains cafebabe </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Java process class file download | server_ip=%fd.sip server_port=%fd.sport connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_initial_access</span> <span class="chip"> T1190</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Java_Process_Class_File_Download /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Modify_Container_Entrypoint> Modify Container Entrypoint <span class="status disabled chip small">disabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule detect an attempt to write on container entrypoint symlink (/proc/self/exe). Possible CVE-2019-5736 Container Breakout exploitation attempt. This rule has a more narrow scope. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and container and (fd.name=/proc/self/exe or fd.name startswith /proc/self/fd/) and not docker_procs and not proc.cmdline = &#34;runc:[1:CHILD] init&#34; </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Detect Potential Container Breakout Exploit (CVE-2019-5736) | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_initial_access</span> <span class="chip"> T1611</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status disabled chip">disabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Modify_Container_Entrypoint /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Decoding_Payload_in_Container> Decoding Payload in Container <span class="status enabled chip small">enabled</span> <span class="priority info chip small">INFO</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect any use of {base64} decoding in a container. Legitimate applications may decode encoded payloads. The template list known_decode_payload_containers can be used for simple tuning and customization, or you can adopt custom, more refined tuning. Less sophisticated adversaries may {base64}-decode their payloads not only to obfuscate them, but also to ensure that the payload remains intact when the application processes it. Note that injecting commands into an application&#39;s input often results in the application processing passed strings like &#34;sh -c&#34;. In these cases, you may be lucky and the encoded blob will also be logged. Otherwise, all you will see is the {base64} decoding command, as the encoded blob was already interpreted by the shell. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and base64_decoding and not container.image.repository in (known_decode_payload_containers) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Decoding Payload in Container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority info chip"> INFO</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_command_and_control</span> <span class="chip"> T1132</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Decoding_Payload_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Basic_Interactive_Reconnaissance> Basic Interactive Reconnaissance <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule detects basic interactive reconnaissance commands that are typically run by unsophisticated attackers or used in internal Red Team exercises. Interactive is defined as a terminal being present (proc.tty != 0). This could be any form of reverse shell or usage of kubectl exec or ssh etc. In addition, filtering for the process being the process group leader indicates that the command was &#34;directly&#34; typed into the terminal and not run as a result of a script. This rule is a basic auditing or template rule. You can expand the list of reconnaissance commands, such as by adding &#34;ls&#34;. Common anti-patterns are SRE activity or debugging, but it is still worth capturing this generically. Typically, you would expect other rules to fire as well in relation to this activity. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and recon_binaries_procs and proc.tty != 0 and proc.is_vpgid_leader=true </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Basic Interactive Reconnaissance | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_reconnaissance</span> <span class="chip"> TA0043</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Basic_Interactive_Reconnaissance /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Netcat/Socat_Remote_Code_Execution_on_Host> Netcat/Socat Remote Code Execution on Host <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity sandbox chip small">sandbox</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Netcat/Socat Program runs on host that allows remote code execution and may be utilized as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. These programs are of higher relevance as they are commonly installed on UNIX-like operating systems. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and not container and ((proc.name = &#34;nc&#34; and (proc.cmdline contains &#34;-e&#34; or proc.cmdline contains &#34;-c&#34;)) or (proc.name = &#34;ncat&#34; and (proc.args contains &#34;--sh-exec&#34; or proc.args contains &#34;--exec&#34; or proc.args contains &#34;-e &#34; or proc.args contains &#34;-c &#34; or proc.args contains &#34;--lua-exec&#34;)) or (proc.name = &#39;socat&#39; and (proc.args contains &#34;EXEC&#34; or proc.args contains &#34;SYSTEM&#34;))) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Netcat/Socat runs on host that allows remote code execution | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity sandbox chip"> sandbox</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_sandbox</span> <span class="chip"> host</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Netcat%2fSocat_Remote_Code_Execution_on_Host /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Directory_traversal_monitored_file_read> Directory traversal monitored file read <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app&#39;s root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">(open_read or open_file_failed) and (etc_dir or user_ssh_directory or fd.name startswith /root/.ssh or fd.name contains &#34;id_rsa&#34;) and directory_traversal and not proc.pname in (shell_binaries) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Read monitored file via directory traversal | file=%fd.name fileraw=%fd.nameraw gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1555</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Directory_traversal_monitored_file_read /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Read_sensitive_file_trusted_after_startup> Read sensitive file trusted after startup <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">An attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards. Can be customized as needed. In modern containerized cloud infrastructures, accessing traditional Linux sensitive files might be less relevant, yet it remains valuable for baseline detections. While we provide additional rules for SSH or cloud vendor-specific credentials, you can significantly enhance your security program by crafting custom rules for critical application credentials unique to your environment. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_read and sensitive_files and server_procs and not proc_is_new and proc.name!=&#34;sshd&#34; and not user_known_read_sensitive_files_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Sensitive file opened for reading by trusted program after startup | file=%fd.name pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1555</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Read_sensitive_file_trusted_after_startup /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Read_sensitive_file_untrusted> Read sensitive file untrusted <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">An attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. Can be customized as needed. In modern containerized cloud infrastructures, accessing traditional Linux sensitive files might be less relevant, yet it remains valuable for baseline detections. While we provide additional rules for SSH or cloud vendor-specific credentials, you can significantly enhance your security program by crafting custom rules for critical application credentials unique to your environment. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_read and sensitive_files and proc_name_exists and not proc.name in (user_mgmt_binaries, userexec_binaries, package_mgmt_binaries, cron_binaries, read_sensitive_file_binaries, shell_binaries, hids_binaries, vpn_binaries, mail_config_binaries, nomachine_binaries, sshkit_script_binaries, in.proftpd, mandb, salt-call, salt-minion, postgres_mgmt_binaries, google_oslogin_ ) and not cmp_cp_by_passwd and not ansible_running_python and not run_by_qualys and not run_by_chef and not run_by_google_accounts_daemon and not user_read_sensitive_file_conditions and not mandb_postinst and not perl_running_plesk and not perl_running_updmap and not veritas_driver_script and not perl_running_centrifydc and not runuser_reading_pam and not linux_bench_reading_etc_shadow and not user_known_read_sensitive_files_activities and not user_read_sensitive_file_containers </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Sensitive file opened for reading by non-trusted program | file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1555</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Read_sensitive_file_untrusted /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Run_shell_untrusted> Run shell untrusted <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">An attempt to spawn a shell below a non-shell application. The non-shell applications that are monitored are defined in the protected_shell_spawner macro, with protected_shell_spawning_binaries being the list you can easily customize. For Java parent processes, please note that Java often has a custom process name. Therefore, rely more on proc.exe to define Java applications. This rule can be noisier, as you can see in the exhaustive existing tuning. However, given it is very behavior-driven and broad, it is universally relevant to catch general Remote Code Execution (RCE). Allocate time to tune this rule for your use cases and reduce noise. Tuning suggestions include looking at the duration of the parent process (proc.ppid.duration) to define your long-running app processes. Checking for newer fields such as proc.vpgid.name and proc.vpgid.exe instead of the direct parent process being a non-shell application could make the rule more robust. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and shell_procs and proc.pname exists and protected_shell_spawner and not proc.pname in (shell_binaries, gitlab_binaries, cron_binaries, user_known_shell_spawn_binaries, needrestart_binaries, mesos_shell_binaries, erl_child_setup, exechealthz, PM2, PassengerWatchd, c_rehash, svlogd, logrotate, hhvm, serf, lb-controller, nvidia-installe, runsv, statsite, erlexec, calico-node, &#34;puma reactor&#34;) and not proc.cmdline in (known_shell_spawn_cmdlines) and not proc.aname in (unicorn_launche) and not consul_running_net_scripts and not consul_running_alert_checks and not nginx_starting_nginx and not nginx_running_aws_s3_cp and not run_by_package_mgmt_binaries and not serf_script and not check_process_status and not run_by_foreman and not python_mesos_marathon_scripting and not splunk_running_forwarder and not postgres_running_wal_e and not redis_running_prepost_scripts and not rabbitmq_running_scripts and not rabbitmqctl_running_scripts and not run_by_appdynamics and not user_shell_container_exclusions </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Shell spawned by untrusted binary | parent_exe=%proc.pexe parent_exepath=%proc.pexepath pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] aname[4]=%proc.aname[4] aname[5]=%proc.aname[5] aname[6]=%proc.aname[6] aname[7]=%proc.aname[7] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> shell</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059.004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Run_shell_untrusted /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=System_user_interactive> System user interactive <span class="status enabled chip small">enabled</span> <span class="priority info chip small">INFO</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">System (e.g. non-login) users spawning new processes. Can add custom service users (e.g. apache or mysqld). &#39;Interactive&#39; is defined as new processes as descendants of an ssh session or login process. Consider further tuning by only looking at processes in a terminal / tty (proc.tty != 0). A newer field proc.is_vpgid_leader could be of help to distinguish if the process was &#34;directly&#34; executed, for instance, in a tty, or executed as a descendant process in the same process group, which, for example, is the case when subprocesses are spawned from a script. Consider this rule as a great template rule to monitor interactive accesses to your systems more broadly. However, such a custom rule would be unique to your environment. The rule &#34;Terminal shell in container&#34; that fires when using &#34;kubectl exec&#34; is more Kubernetes relevant, whereas this one could be more interesting for the underlying host. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and system_users and interactive and not user_known_system_user_login </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">System user ran an interactive command | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority info chip"> INFO</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> users</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> <span class="chip"> NIST_800-53_AC-2</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#System_user_interactive /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Terminal_shell_in_container> Terminal shell in container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">A shell was used as the entrypoint/exec point into a container with an attached terminal. Parent process may have legitimately already exited and be null (read container_entrypoint macro). Common when using &#34;kubectl exec&#34; in Kubernetes. Correlate with k8saudit exec logs if possible to find user or serviceaccount token used (fuzzy correlation by namespace and pod name). Rather than considering it a standalone rule, it may be best used as generic auditing rule while examining other triggered rules in this container/tty. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint and not user_expected_terminal_shell_in_container_conditions </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">A shell was spawned in a container with an attached terminal | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> shell</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Terminal_shell_in_container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Contact_K8S_API_Server_From_Container> Contact K8S API Server From Container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect attempts to communicate with the K8S API Server from a container by non-profiled users. Kubernetes APIs play a pivotal role in configuring the cluster management lifecycle. Detecting potential unauthorized access to the API server is of utmost importance. Audit your complete infrastructure and pinpoint any potential machines from which the API server might be accessible based on your network layout. If Falco can&#39;t operate on all these machines, consider analyzing the Kubernetes audit logs (typically drained from control nodes, and Falco offers a k8saudit plugin) as an additional data source for detections within the control plane. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type=connect and (fd.typechar=4 or fd.typechar=6) and container and k8s_api_server and not k8s_containers and not user_known_contact_k8s_api_server_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Unexpected connection to K8s API Server from container | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> k8s</span> <span class="chip"> mitre_discovery</span> <span class="chip"> T1565</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Contact_K8S_API_Server_From_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Netcat_Remote_Code_Execution_in_Container> Netcat Remote Code Execution in Container <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Netcat Program runs inside container that allows remote code execution and may be utilized as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. These programs are of higher relevance as they are commonly installed on UNIX-like operating systems. Can fire in combination with the &#34;Redirect STDOUT/STDIN to Network Connection in Container&#34; rule as it utilizes a different evt.type. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and ((proc.name = &#34;nc&#34; and (proc.cmdline contains &#34; -e&#34; or proc.cmdline contains &#34; -c&#34;)) or (proc.name = &#34;ncat&#34; and (proc.args contains &#34;--sh-exec&#34; or proc.args contains &#34;--exec&#34; or proc.args contains &#34;-e &#34; or proc.args contains &#34;-c &#34; or proc.args contains &#34;--lua-exec&#34;)) ) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Netcat runs inside container that allows remote code execution | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Netcat_Remote_Code_Execution_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Search_Private_Keys_or_Passwords> Search Private Keys or Passwords <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect attempts to search for private keys or passwords using the grep or find command. This is often seen with unsophisticated attackers, as there are many ways to access files using bash built-ins that could go unnoticed. Regardless, this serves as a solid baseline detection that can be tailored to cover these gaps while maintaining an acceptable noise level. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and ((grep_commands and private_key_or_password) or (proc.name = &#34;find&#34; and (proc.args contains &#34;id_rsa&#34; or proc.args contains &#34;id_dsa&#34; or proc.args contains &#34;id_ed25519&#34; or proc.args contains &#34;id_ecdsa&#34; ) )) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Grep private keys or passwords activities found | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1552.001</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Search_Private_Keys_or_Passwords /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Clear_Log_Activities> Clear Log Activities <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect clearing of critical access log files, typically done to erase evidence that could be attributed to an adversary&#39;s actions. To effectively customize and operationalize this detection, check for potentially missing log file destinations relevant to your environment, and adjust the profiled containers you wish not to be alerted on. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and access_log_files and evt.arg.flags contains &#34;O_TRUNC&#34; and not containerd_activities and not trusted_logging_images and not allowed_clear_log_files </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Log files were tampered | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_defense_evasion</span> <span class="chip"> T1070</span> <span class="chip"> NIST_800-53_AU-10</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Clear_Log_Activities /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Remove_Bulk_Data_from_Disk> Remove Bulk Data from Disk <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect a process running to clear bulk data from disk with the intention to destroy data, possibly interrupting availability to systems. Profile your environment and use user_known_remove_data_activities to tune this rule. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and clear_data_procs and not user_known_remove_data_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Bulk data has been removed from disk | file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_impact</span> <span class="chip"> T1485</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Remove_Bulk_Data_from_Disk /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Create_Symlink_Over_Sensitive_Files> Create Symlink Over Sensitive Files <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect symlinks created over a curated list of sensitive files or subdirectories under /etc/ or root directories. Can be customized as needed. Refer to further and equivalent guidance within the rule &#34;Read sensitive file untrusted&#34;. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">create_symlink and (evt.arg.target in (sensitive_file_names) or evt.arg.target in (sensitive_directory_names)) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Symlinks created over sensitive files | target=%evt.arg.target linkpath=%evt.arg.linkpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1555</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Create_Symlink_Over_Sensitive_Files /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Create_Hardlink_Over_Sensitive_Files> Create Hardlink Over Sensitive Files <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect hardlink created over a curated list of sensitive files or subdirectories under /etc/ or root directories. Can be customized as needed. Refer to further and equivalent guidance within the rule &#34;Read sensitive file untrusted&#34;. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">create_hardlink and (evt.arg.oldpath in (sensitive_file_names)) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Hardlinks created over sensitive files | target=%evt.arg.oldpath linkpath=%evt.arg.newpath evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> filesystem</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1555</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Create_Hardlink_Over_Sensitive_Files /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Packet_socket_created_in_container> Packet socket created in container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation (CVE-2020-14386) by an attacker. Noise can be reduced by using the user_known_packet_socket_binaries template list. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type=socket and container and evt.arg.domain contains AF_PACKET and not proc.name in (user_known_packet_socket_binaries) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Packet socket was created in a container | socket_info=%evt.args connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1557.002</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Packet_socket_created_in_container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Redirect_STDOUT/STDIN_to_Network_Connection_in_Container> Redirect STDOUT/STDIN to Network Connection in Container <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect redirection of stdout/stdin to a network connection within a container, achieved by utilizing a variant of the dup syscall (potential reverse shell or remote code execution https://github.com/swisskyrepo/PayloadsAllTheThings/). This detection is behavior-based and may generate noise in the system, and can be adjusted using the user_known_stand_streams_redirect_activities template macro. Tuning can be performed similarly to existing detections based on process lineage or container images, and/or it can be limited to interactive tty (tty != 0). </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">dup and container and evt.rawres in (0, 1, 2) and fd.type in (&#34;ipv4&#34;, &#34;ipv6&#34;) and not user_known_stand_streams_redirect_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Redirect stdout/stdin to network connection | gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] fd.sip=%fd.sip connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Redirect_STDOUT%2fSTDIN_to_Network_Connection_in_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Linux_Kernel_Module_Injection_Detected> Linux Kernel Module Injection Detected <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Inject Linux Kernel Modules from containers using insmod or modprobe with init_module and finit_module syscalls, given the precondition of sys_module effective capabilities. Profile the environment and consider allowed_container_images_loading_kernel_module to reduce noise and account for legitimate cases. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">kernel_module_load and container and thread.cap_effective icontains sys_module and not container.image.repository in (allowed_container_images_loading_kernel_module) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Linux Kernel Module injection from container | parent_exepath=%proc.pexepath gparent=%proc.aname[2] gexepath=%proc.aexepath[2] module=%proc.args res=%evt.res evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_persistence</span> <span class="chip"> TA0003</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Linux_Kernel_Module_Injection_Detected /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Debugfs_Launched_in_Privileged_Container> Debugfs Launched in Privileged Container <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. This rule has a more narrow scope. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and container.privileged=true and proc.name=debugfs </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Debugfs launched started in a privileged container | evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> cis</span> <span class="chip"> process</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1611</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Debugfs_Launched_in_Privileged_Container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Detect_release_agent_File_Container_Escapes> Detect release_agent File Container Escapes <span class="status enabled chip small">enabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Detect an attempt to exploit a container escape using release_agent file | file=%fd.name cap_effective=%thread.cap_effective evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1611</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Detect_release_agent_File_Container_Escapes /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=PTRACE_attached_to_process> PTRACE attached to process <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect an attempt to inject potentially malicious code into a process using PTRACE in order to evade process-based defenses or elevate privileges. Common anti-patterns are debuggers. Additionally, profiling your environment via the known_ptrace_procs template macro can reduce noise. A successful ptrace syscall generates multiple logs at once. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">ptrace_attach_or_injection and proc_name_exists and not known_ptrace_procs </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Detected ptrace PTRACE_ATTACH attempt | proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_privilege_escalation</span> <span class="chip"> T1055.008</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#PTRACE_attached_to_process /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=PTRACE_anti-debug_attempt> PTRACE anti-debug attempt <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect usage of the PTRACE system call with the PTRACE_TRACEME argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity. Read more about PTRACE in the &#34;PTRACE attached to process&#34; rule. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">evt.type=ptrace and evt.arg.request contains PTRACE_TRACEME and proc_name_exists </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Detected potential PTRACE_TRACEME anti-debug attempt | proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_defense_evasion</span> <span class="chip"> T1622</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#PTRACE_anti-debug_attempt /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Find_AWS_Credentials> Find AWS Credentials <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect attempts to search for private keys or passwords using the grep or find command, particularly targeting standard AWS credential locations. This is often seen with unsophisticated attackers, as there are many ways to access files using bash built-ins that could go unnoticed. Regardless, this serves as a solid baseline detection that can be tailored to cover these gaps while maintaining an acceptable noise level. This rule complements the rule &#34;Search Private Keys or Passwords&#34;. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and ((grep_commands and private_aws_credentials) or (proc.name = &#34;find&#34; and proc.args endswith &#34;.aws/credentials&#34;)) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Detected AWS credentials search activity | proc_pcmdline=%proc.pcmdline proc_cwd=%proc.cwd group_gid=%group.gid group_name=%group.name user_loginname=%user.loginname evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> aws</span> <span class="chip"> mitre_credential_access</span> <span class="chip"> T1552</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Find_AWS_Credentials /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Execution_from_/dev/shm> Execution from /dev/shm <span class="status enabled chip small">enabled</span> <span class="priority warning chip small">WARNING</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">This rule detects file execution in the /dev/shm directory, a tactic often used by threat actors to store their readable, writable, and occasionally executable files. /dev/shm acts as a link to the host or other containers, creating vulnerabilities for their compromise as well. Notably, /dev/shm remains unchanged even after a container restart. Consider this rule alongside the newer &#34;Drop and execute new binary in container&#34; rule. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and (proc.exe startswith &#34;/dev/shm/&#34; or (proc.cwd startswith &#34;/dev/shm/&#34; and proc.exe startswith &#34;./&#34; ) or (shell_procs and proc.args startswith &#34;-c /dev/shm&#34;) or (shell_procs and proc.args startswith &#34;-i /dev/shm&#34;) or (shell_procs and proc.args startswith &#34;/dev/shm&#34;) or (proc.cwd startswith &#34;/dev/shm/&#34; and proc.args startswith &#34;./&#34; )) and not container.image.repository in (falco_privileged_images, trusted_images) </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">File execution detected from /dev/shm | evt_res=%evt.res file=%fd.name proc_cwd=%proc.cwd proc_pcmdline=%proc.pcmdline user_loginname=%user.loginname group_gid=%group.gid group_name=%group.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority warning chip"> WARNING</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059.004</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Execution_from_%2fdev%2fshm /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Drop_and_execute_new_binary_in_container> Drop and execute new binary in container <span class="status enabled chip small">enabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect if an executable not belonging to the base image of a container is being executed. The drop and execute pattern can be observed very often after an attacker gained an initial foothold. is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. Adopters can utilize the provided template list known_drop_and_execute_containers containing allowed container images known to execute binaries not included in their base image. Alternatively, you could exclude non-production namespaces in Kubernetes settings by adjusting the rule further. This helps reduce noise by applying application and environment-specific knowledge to this rule. Common anti-patterns include administrators or SREs performing ad-hoc debugging. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and container and proc.is_exe_upper_layer=true and not container.image.repository in (known_drop_and_execute_containers) and not known_drop_and_execute_activities </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Executing binary not part of base image | proc_exe=%proc.exe proc_sname=%proc.sname gparent=%proc.aname[2] proc_exe_ino_ctime=%proc.exe_ino.ctime proc_exe_ino_mtime=%proc.exe_ino.mtime proc_exe_ino_ctime_duration_proc_start=%proc.exe_ino.ctime_duration_proc_start proc_cwd=%proc.cwd container_start_ts=%container.start_ts evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_persistence</span> <span class="chip"> TA0003</span> <span class="chip"> PCI_DSS_11.5.1</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Drop_and_execute_new_binary_in_container /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Disallowed_SSH_Connection_Non_Standard_Port> Disallowed SSH Connection Non Standard Port <span class="status enabled chip small">enabled</span> <span class="priority notice chip small">NOTICE</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from the SSH connection to a shell&#39;s STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. We suggest adding more ports, potentially incorporating ranges based on your environment&#39;s knowledge and custom SSH port configurations. This rule can complement the &#34;Redirect STDOUT/STDIN to Network Connection in Container&#34; or &#34;Disallowed SSH Connection&#34; rule. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">outbound and proc.exe endswith ssh and fd.l4proto=tcp and ssh_non_standard_ports_network </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Disallowed SSH Connection | connection=%fd.name lport=%fd.lport rport=%fd.rport fd_type=%fd.type fd_proto=%fd.l4proto evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority notice chip"> NOTICE</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> network</span> <span class="chip"> process</span> <span class="chip"> mitre_execution</span> <span class="chip"> T1059</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Disallowed_SSH_Connection_Non_Standard_Port /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> <button type="button" class="collapsible" id=Fileless_execution_via_memfd_create> Fileless execution via memfd_create <span class="status enabled chip small">enabled</span> <span class="priority critical chip small">CRITICAL</span> <span class="maturity stable chip small">stable</span> </button> <div class="rule"> <div class="descriptionDiv"> <span class="field">Description:</span></br> <pre><code class="condition" style="white-space: pre-wrap;">Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes by adding items to the list known_memfd_execution_processes. </code></pre> </div> <div class="conditionDiv"> <span class="field">Condition:</span><br> <pre><code class="condition" style="white-space: pre-wrap;">spawned_process and proc.is_exe_from_memfd=true and not known_memfd_execution_processes </code></pre> </div> <div class="outputDiv"> <span class="field">Output:</span><br> <pre class="code"><code class="output" style="white-space: pre-wrap;">Fileless execution via memfd_create | container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags</code></pre> </div> <div class="maturityDiv"> <span class="field">Maturity: </span><span class="maturity stable chip"> stable</span> </div> <div class="priorityDiv"> <span class="field">Priority: </span><span class="priority critical chip"> CRITICAL</span> </div> <div class="tagsDiv"> <span class="field">Tags:</span> <span class="chip"> maturity_stable</span> <span class="chip"> host</span> <span class="chip"> container</span> <span class="chip"> process</span> <span class="chip"> mitre_defense_evasion</span> <span class="chip"> T1620</span> </div> <div class="statusDiv"> <span class="field">Status: </span> <span class="status enabled chip">enabled</span> </div> <div> <span class="field">Link: </span> <span><a href=#Fileless_execution_via_memfd_create /><i class="fa fa-link" style="padding-bottom: 15px;"></i></a></span> </div> </div> </div> <script> var coll = document.getElementsByClassName("collapsible"); var i; for (i = 0; i < coll.length; i++) { var id = coll[i].id; var anchor = getAnchor(); if (anchor == id) { var el = document.getElementById(id); el.classList.toggle("active"); el.style.backgroundColor = "#00aec7"; var content = el.nextElementSibling; content.style.display = "block"; } coll[i].addEventListener("click", function() { this.classList.toggle("active"); var content = this.nextElementSibling; if (content.style.display === "block") { content.style.display = "none"; this.style.backgroundColor = "#fff"; } else { content.style.display = "block"; this.style.backgroundColor = "#00aec7"; } }); } function getAnchor() { return (document.URL.split('#').length > 1) ? document.URL.split('#')[1] : null; } function search() { var input = document.getElementById('search'); var filter = input.value.toUpperCase(); var div = document.getElementById("rules"); var buttons = div.getElementsByTagName('button'); for (i = 0; i < buttons.length; i++) { txt = buttons[i].innerText; if (txt.toUpperCase().indexOf(filter) > -1) { buttons[i].style.display = ""; } else { buttons[i].style.display = "none"; buttons[i].style.backgroundColor = "#fff"; var content = buttons[i].nextElementSibling; content.style.display = "none"; } } } function stringToHash(string) { let hash = 0; if (string.length == 0) return hash; for (i = 0; i < string.length; i++) { char = string.charCodeAt(i); hash = ((hash << 5) - hash) + char; hash = hash & hash; } return hash; } </script>