Reference Library for Linux workloads Falco Threat Detection Rules
Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment.
This topic provides all the fields and events that apply to Falco rules for Linux workloads.
Fields
Field Class: evt
Event fields applicable to syscall events. Note that for most events you can access the individual arguments/parameters of each syscall via evt.arg, e.g. evt.arg.filename.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
evt.num | UINT64 | event number. | all | all |
evt.time | CHARBUF | event timestamp as a time string that includes the nanosecond part. | all | all |
evt.time.s | CHARBUF | event timestamp as a time string with no nanoseconds. | all | all |
evt.time.iso8601 | CHARBUF | event timestamp in ISO 8601 format, including nanoseconds and time zone offset (in UTC). | all | all |
evt.datetime | CHARBUF | event timestamp as a time string that includes the date. | all | all |
evt.datetime.s | CHARBUF | event timestamp as a datetime string with no nanoseconds. | all | all |
evt.rawtime | ABSTIME | absolute event timestamp, i.e. nanoseconds from epoch. | all | all |
evt.rawtime.s | ABSTIME | integer part of the event timestamp (e.g. seconds since epoch). | all | all |
evt.rawtime.ns | ABSTIME | fractional part of the absolute event timestamp. | all | all |
evt.reltime | RELTIME | number of nanoseconds from the beginning of the capture. | all | all |
evt.reltime.s | RELTIME | number of seconds from the beginning of the capture. | all | all |
evt.reltime.ns | RELTIME | fractional part (in ns) of the time from the beginning of the capture. | all | all |
evt.pluginname | CHARBUF | if the event comes from a plugin-defined event source, the name of the plugin that generated it. The plugin must be currently loaded. | all | all |
evt.plugininfo | CHARBUF | if the event comes from a plugin-defined event source, a summary of the event as formatted by the plugin. The plugin must be currently loaded. | all | all |
evt.source | CHARBUF | the name of the source that produced the event. | all | all |
evt.is_async | BOOL | ’true’ for asynchronous events, ‘false’ otherwise. | all | all |
evt.asynctype | CHARBUF | If the event is asynchronous, the type of the event (e.g. ‘container’). | all | all |
evt.hostname | CHARBUF | The hostname of the underlying host can be customized by setting an environment variable (e.g. FALCO_HOSTNAME for the Falco agent). This is valuable in Kubernetes setups, where the hostname can match the pod name particularly in DaemonSet deployments. To achieve this, assign Kubernetes’ spec.nodeName to the environment variable. Notably, spec.nodeName generally includes the cluster name. | all | all |
evt.latency | RELTIME | delta between an exit event and the correspondent enter event, in nanoseconds. | all | all |
evt.latency.s | RELTIME | integer part of the event latency delta. | all | all |
evt.latency.ns | RELTIME | fractional part of the event latency delta. | all | all |
evt.latency.human | CHARBUF | delta between an exit event and the correspondent enter event, as a human readable string (e.g. 10.3ms). | all | all |
evt.deltatime | RELTIME | delta between this event and the previous event, in nanoseconds. | all | all |
evt.deltatime.s | RELTIME | integer part of the delta between this event and the previous event. | all | all |
evt.deltatime.ns | RELTIME | fractional part of the delta between this event and the previous event. | all | all |
evt.dir | CHARBUF | event direction can be either ‘>’ for enter events or ‘<’ for exit events. | all | all |
evt.type | CHARBUF | The name of the event (e.g. ‘open’). | all | all |
evt.type.is | UINT32 | allows one to specify an event type, and returns 1 for events that are of that type. For example, evt.type.is.open returns 1 for open events, 0 for any other event. | all | all |
syscall.type | CHARBUF | For system call events, the name of the system call (e.g. ‘open’). Unset for other events (e.g. switch or internal events). Use this field instead of evt.type if you need to make sure that the filtered/printed value is actually a system call. | all | all |
evt.category | CHARBUF | The event category. Example values are ‘file’ (for file operations like open and close), ’net’ (for network operations like socket and bind), memory (for things like brk or mmap), and so on. | all | all |
evt.cpu | INT16 | number of the CPU where this event happened. | all | all |
evt.args | CHARBUF | all the event arguments, aggregated into a single string. | all | all |
evt.arg | CHARBUF | one of the event arguments specified by name or by number. Some events (e.g. return codes or FDs) will be converted into a text representation when possible. E.g. ’evt.arg.fd’ or ’evt.arg[0]’. | all | all |
evt.rawarg | DYNAMIC | one of the event arguments specified by name. E.g. ’evt.rawarg.fd’. | all | all |
evt.info | CHARBUF | for most events, this field returns the same value as evt.args. However, for some events (like writes to /dev/log) it provides higher level information coming from decoding the arguments. | all | all |
evt.buffer | BYTEBUF | the binary data buffer for events that have one, like read(), recvfrom(), etc. Use this field in filters with ‘contains’ to search into I/O data buffers. | all | all |
evt.buflen | UINT64 | the length of the binary data buffer for events that have one, like read(), recvfrom(), etc. | all | all |
evt.res | CHARBUF | event return value, as a string. If the event failed, the result is an error code string (e.g. ‘ENOENT’), otherwise the result is the string ‘SUCCESS’. | all | all |
evt.rawres | INT64 | event return value, as a number (e.g. -2). Useful for range comparisons. | all | all |
evt.failed | BOOL | ’true’ for events that returned an error status. | all | all |
evt.is_io | BOOL | ’true’ for events that read or write to FDs, like read(), send, recvfrom(), etc. | all | all |
evt.is_io_read | BOOL | ’true’ for events that read from FDs, like read(), recv(), recvfrom(), etc. | all | all |
evt.is_io_write | BOOL | ’true’ for events that write to FDs, like write(), send(), etc. | all | all |
evt.io_dir | CHARBUF | ‘r’ for events that read from FDs, like read(); ‘w’ for events that write to FDs, like write(). | all | all |
evt.is_wait | BOOL | ’true’ for events that make the thread wait, e.g. sleep(), select(), poll(). | all | all |
evt.wait_latency | RELTIME | for events that make the thread wait (e.g. sleep(), select(), poll()), this is the time spent waiting for the event to return, in nanoseconds. | all | all |
evt.is_syslog | BOOL | ’true’ for events that are writes to /dev/log. | all | all |
evt.count | UINT32 | This filter field always returns 1. | all | all |
evt.count.error | UINT32 | This filter field returns 1 for events that returned with an error. | all | all |
evt.count.error.file | UINT32 | This filter field returns 1 for events that returned with an error and are related to file I/O. | all | all |
evt.count.error.net | UINT32 | This filter field returns 1 for events that returned with an error and are related to network I/O. | all | all |
evt.count.error.memory | UINT32 | This filter field returns 1 for events that returned with an error and are related to memory allocation. | all | all |
evt.count.error.other | UINT32 | This filter field returns 1 for events that returned with an error and are related to none of the previous categories. | all | all |
evt.count.exit | UINT32 | This filter field returns 1 for exit events. | all | all |
evt.around | UINT64 | Accepts the event if it’s around the specified time interval. The syntax is evt.around[T]=D, where T is the value returned by %evt.rawtime for the event and D is a delta in milliseconds. For example, evt.around[1404996934793590564]=1000 will return the events with timestamp with one second before the timestamp and one second after it, for a total of two seconds of capture. | all | all |
evt.abspath | CHARBUF | Absolute path calculated from dirfd and name during syscalls like renameat and symlinkat. Use ’evt.abspath.src’ or ’evt.abspath.dst’ for syscalls that support multiple paths. | all | all |
evt.is_open_read | BOOL | ’true’ for open/openat/openat2/open_by_handle_at events where the path was opened for reading | all | all |
evt.is_open_write | BOOL | ’true’ for open/openat/openat2/open_by_handle_at events where the path was opened for writing | all | all |
evt.is_open_exec | BOOL | ’true’ for open/openat/openat2/open_by_handle_at or creat events where a file is created with execute permissions | all | all |
evt.is_open_create | BOOL | ’true’ for for open/openat/openat2/open_by_handle_at events where a file is created. | all | all |
Field Class: process
Additional information about the process and thread executing the syscall event.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
proc.exe | CHARBUF | The first command-line argument (i.e., argv[0]), typically the executable name or a custom string as specified by the user. It is primarily obtained from syscall arguments, truncated after 4096 bytes, or, as a fallback, by reading /proc/PID/cmdline, in which case it may be truncated after 1024 bytes. This field may differ from the last component of proc.exepath, reflecting how command invocation and execution paths can vary. | all | all |
proc.pexe | CHARBUF | The proc.exe (first command line argument argv[0]) of the parent process. | all | all |
proc.aexe | CHARBUF | The proc.exe (first command line argument argv[0]) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aexe[1] retrieves the proc.exe of the parent process, proc.aexe[2] retrieves the proc.exe of the grandparent process, and so on. The current process’s proc.exe line can be obtained using proc.aexe[0]. When used without any arguments, proc.aexe is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aexe endswith java to match any process ancestor whose proc.exe ends with the term java. | all | all |
proc.exepath | CHARBUF | The full executable path of a process, resolving to the canonical path for symlinks. This is primarily obtained from the kernel, or as a fallback, by reading /proc/PID/exe (in the latter case, the path is truncated after 1024 bytes). For eBPF drivers, due to verifier limits, path components may be truncated to 24 for legacy eBPF on kernel <5.2, 48 for legacy eBPF on kernel >=5.2, or 96 for modern eBPF. | all | all |
proc.pexepath | CHARBUF | The proc.exepath (full executable path) of the parent process. | all | all |
proc.aexepath | CHARBUF | The proc.exepath (full executable path) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aexepath[1] retrieves the proc.exepath of the parent process, proc.aexepath[2] retrieves the proc.exepath of the grandparent process, and so on. The current process’s proc.exepath line can be obtained using proc.aexepath[0]. When used without any arguments, proc.aexepath is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aexepath endswith java to match any process ancestor whose path ends with the term java. | all | all |
proc.name | CHARBUF | The process name (truncated after 16 characters) generating the event (task->comm). Truncation is determined by kernel settings and not by Falco. This field is collected from the syscalls args or, as a fallback, extracted from /proc/PID/comm. The name of the process and the name of the executable file on disk (if applicable) can be different if a process is given a custom name which is often the case for example for java applications. | all | all |
proc.pname | CHARBUF | The proc.name (truncated after 16 characters) of the parent process. | all | all |
proc.aname | CHARBUF | The proc.name (truncated after 16 characters) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aname[1] retrieves the proc.name of the parent process, proc.aname[2] retrieves the proc.name of the grandparent process, and so on. The current process’s proc.name line can be obtained using proc.aname[0]. When used without any arguments, proc.aname is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aname=bash to match any process ancestor whose name is bash. | all | all |
proc.args | CHARBUF | The arguments passed on the command line when starting the process generating the event excluding argv[0] (truncated after 4096 bytes). This field is collected from the system call arguments, or as a fallback, extracted from /proc/PID/cmdline, can be accessed by specifying proc.args[INDEX], e.g., proc.args[0] or proc.args[1]. The indexing is zero-based, meaning proc.args[0] refers to the first command-line argument passed, rather than argv[0]. | all | all |
proc.aargs | CHARBUF | The arguments passed on the command line when starting the process generating the event for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aargs[1] retrieves the arguments passed on the command line of the parent process, proc.aargs[2] retrieves the proc.args of the grandparent process, and so on. The current process’s arguments passed on the command line can be obtained using proc.aargs[0]. When used without any arguments, proc.aargs is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aargs contains base64 to match any process ancestor whose arguments passed on the command line contains the term base64. | 14.3.0 and above | 6.2.0 and above |
proc.cmdline | CHARBUF | The concatenation of proc.name + proc.args (truncated after 4096 bytes) when starting the process generating the event. | all | all |
proc.pcmdline | CHARBUF | The proc.cmdline (full command line (proc.name + proc.args)) of the parent process. | all | all |
proc.acmdline | CHARBUF | The full command line (proc.name + proc.args) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.acmdline[1] retrieves the full command line of the parent process, proc.acmdline[2] retrieves the proc.cmdline of the grandparent process, and so on. The current process’s full command line can be obtained using proc.acmdline[0]. When used without any arguments, proc.acmdline is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.acmdline contains base64 to match any process ancestor whose command line contains the term base64. | all | all |
proc.cmdnargs | UINT64 | The number of command line args (proc.args). | all | all |
proc.cmdlenargs | UINT64 | The total count of characters / length of the command line args (proc.args) combined excluding whitespaces between args. | all | all |
proc.exeline | CHARBUF | The full command line, with exe as first argument (proc.exe + proc.args) when starting the process generating the event. | all | all |
proc.env | CHARBUF | The environment variables of the process generating the event as concatenated string ‘ENV_NAME=value ENV_NAME1=value1’. Can also be used to extract the value of a known env variable, e.g. proc.env[ENV_NAME]. | all | all |
proc.aenv | CHARBUF | [EXPERIMENTAL] This field can be used in three flavors: (1) as a filter checking all parents, e.g. ‘proc.aenv contains xyz’, which is similar to the familiar ‘proc.aname contains xyz’ approach, (2) checking the proc.env of a specified level of the parent, e.g. ‘proc.aenv[2]’, which is similar to the familiar ‘proc.aname[2]’ approach, or (3) checking the first matched value of a known ENV_NAME in the parent lineage, such as ‘proc.aenv[ENV_NAME]’ (across a max of 20 ancestor levels). This field may be deprecated or undergo breaking changes in future releases. Please use it with caution. | all | all |
proc.cwd | CHARBUF | The current working directory of the event. | all | all |
proc.loginshellid | INT64 | The pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate different user sessions. | all | all |
proc.tty | UINT32 | The controlling terminal of the process. 0 for processes without a terminal. | all | all |
proc.pid | INT64 | The id of the process generating the event. | all | all |
proc.ppid | INT64 | The pid of the parent of the process generating the event. | all | all |
proc.apid | INT64 | The pid for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.apid[1] retrieves the pid of the parent process, proc.apid[2] retrieves the pid of the grandparent process, and so on. The current process’s pid can be obtained using proc.apid[0]. When used without any arguments, proc.apid is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.apid=1337 to match any process ancestor whose pid is equal to 1337. | all | all |
proc.vpid | INT64 | The id of the process generating the event as seen from its current PID namespace. | all | all |
proc.pvpid | INT64 | The id of the parent process generating the event as seen from its current PID namespace. | all | all |
proc.sid | INT64 | The session id of the process generating the event. | all | all |
proc.sname | CHARBUF | The name of the current process’s session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process. | all | all |
proc.sid.exe | CHARBUF | The first command line argument argv[0] (usually the executable name or a custom one) of the current process’s session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process. | all | all |
proc.sid.exepath | CHARBUF | The full executable path of the current process’s session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process. | all | all |
proc.vpgid | INT64 | The process group id of the process generating the event, as seen from its current PID namespace. | all | all |
proc.vpgid.name | CHARBUF | The name of the current process’s process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of proc.is_vpgid_leader offers additional insights. | all | all |
proc.vpgid.exe | CHARBUF | The first command line argument argv[0] (usually the executable name or a custom one) of the current process’s process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of proc.is_vpgid_leader offers additional insights. | all | all |
proc.vpgid.exepath | CHARBUF | The full executable path of the current process’s process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of proc.is_vpgid_leader offers additional insights. | all | all |
proc.pgid | INT64 | The process group id of the process generating the event, as seen from host PID namespace. | 13.6.0 and above | all |
proc.pgid.name | CHARBUF | The name of the current process’s process group leader. This is either the process with proc.pgid == proc.pid or the eldest ancestor that has the same pgid as the current process. The description of proc.is_pgid_leader offers additional insights. | 13.6.0 and above | all |
proc.pgid.exe | CHARBUF | The first command line argument argv[0] (usually the executable name or a custom one) of the current process’s process group leader. This is either the process with proc.pgid == proc.pid or the eldest ancestor that has the same pgid as the current process. The description of proc.is_pgid_leader offers additional insights. | 13.6.0 and above | all |
proc.pgid.exepath | CHARBUF | The full executable path of the current process’s process group leader. This is either the process with proc.pgid == proc.pid or the eldest ancestor that has the same pgid as the current process. The description of proc.is_pgid_leader offers additional insights. | 13.6.0 and above | all |
proc.duration | RELTIME | Number of nanoseconds since the process started. | all | all |
proc.ppid.duration | RELTIME | Number of nanoseconds since the parent process started. | all | all |
proc.pid.ts | RELTIME | Start of process as epoch timestamp in nanoseconds. | all | all |
proc.ppid.ts | RELTIME | Start of parent process as epoch timestamp in nanoseconds. | all | all |
proc.is_exe_writable | BOOL | ’true’ if this process’ executable file is writable by the same user that spawned the process. | all | all |
proc.is_exe_upper_layer | BOOL | ’true’ if this process’ executable file is in upper layer in overlayfs. This field value can only be trusted if the underlying kernel version is greater or equal than 3.18.0, since overlayfs was introduced at that time. | all | all |
proc.is_exe_lower_layer | BOOL | ’true’ if this process’ executable file is in lower layer in overlayfs. This field value can only be trusted if the underlying kernel version is greater or equal than 3.18.0, since overlayfs was introduced at that time. | 13.5.0 and above | all |
proc.is_exe_from_memfd | BOOL | ’true’ if the executable file of the current process is an anonymous file created using memfd_create() and is being executed by referencing its file descriptor (fd). This type of file exists only in memory and not on disk. Relevant to detect malicious in-memory code injection. Requires kernel version greater or equal to 3.17.0. | all | all |
proc.is_sid_leader | BOOL | ’true’ if this process is the leader of the process session, proc.sid == proc.vpid. For host processes vpid reflects pid. | all | all |
proc.is_vpgid_leader | BOOL | ’true’ if this process is the leader of the virtual process group, proc.vpgid == proc.vpid. For host processes vpgid and vpid reflect pgid and pid. Can help to distinguish if the process was ‘directly’ executed for instance in a tty (similar to bash history logging, is_vpgid_leader would be ’true’) or executed as descendent process in the same process group which for example is the case when subprocesses are spawned from a script (is_vpgid_leader would be ‘false’). | all | all |
proc.is_pgid_leader | BOOL | ’true’ if this process is the leader of the process group, proc.pgid == proc.pid. Can help to distinguish if the process was ‘directly’ executed for instance in a tty (similar to bash history logging, is_pgid_leader would be ’true’) or executed as descendent process in the same process group which for example is the case when subprocesses are spawned from a script (is_pgid_leader would be ‘false’). | 13.6.0 and above | all |
proc.exe_ino | INT64 | The inode number of the executable file on disk. Can be correlated with fd.ino. | all | all |
proc.exe_ino.ctime | ABSTIME | Last status change time of executable file (inode->ctime) as epoch timestamp in nanoseconds. Time is changed by writing or by setting inode information e.g. owner, group, link count, mode etc. | all | all |
proc.exe_ino.mtime | ABSTIME | Last modification time of executable file (inode->mtime) as epoch timestamp in nanoseconds. Time is changed by file modifications, e.g. by mknod, truncate, utime, write of more than zero bytes etc. For tracking changes in owner, group, link count or mode, use proc.exe_ino.ctime instead. | all | all |
proc.exe_ino.ctime_duration_proc_start | ABSTIME | Number of nanoseconds between modifying status of executable image and spawning a new process using the changed executable image. | all | all |
proc.exe_ino.ctime_duration_pidns_start | ABSTIME | Number of nanoseconds between PID namespace start ts and ctime exe file if PID namespace start predates ctime. | all | all |
proc.pidns_init_start_ts | UINT64 | Start of PID namespace (container or non container pid namespace) as epoch timestamp in nanoseconds. | all | all |
thread.cap_permitted | CHARBUF | The permitted capabilities set | all | all |
thread.cap_inheritable | CHARBUF | The inheritable capabilities set | all | all |
thread.cap_effective | CHARBUF | The effective capabilities set | all | all |
proc.fdopencount | UINT64 | Number of open FDs for the process | all | all |
proc.fdlimit | INT64 | Maximum number of FDs the process can open. | all | all |
proc.fdusage | DOUBLE | The ratio between open FDs and maximum available FDs for the process. | all | all |
proc.vmsize | UINT64 | Total virtual memory for the process (as kb). | all | all |
proc.vmrss | UINT64 | Resident non-swapped memory for the process (as kb). | all | all |
proc.vmswap | UINT64 | Swapped memory for the process (as kb). | all | all |
thread.pfmajor | UINT64 | Number of major page faults since thread start. | all | all |
thread.pfminor | UINT64 | Number of minor page faults since thread start. | all | all |
thread.tid | INT64 | The id of the thread generating the event. | all | all |
thread.ismain | BOOL | ’true’ if the thread generating the event is the main one in the process. | all | all |
thread.vtid | INT64 | The id of the thread generating the event as seen from its current PID namespace. | all | all |
thread.exectime | RELTIME | CPU time spent by the last scheduled thread, in nanoseconds. Exported by switch events only. | all | all |
thread.totexectime | RELTIME | Total CPU time, in nanoseconds since the beginning of the capture, for the current thread. Exported by switch events only. | all | all |
thread.cgroups | CHARBUF | All cgroups the thread belongs to, aggregated into a single string. | all | all |
thread.cgroup | CHARBUF | The cgroup the thread belongs to, for a specific subsystem. e.g. thread.cgroup.cpuacct. | all | all |
proc.nthreads | UINT64 | The number of alive threads that the process generating the event currently has, including the leader thread. Please note that the leader thread may not be here, in that case ‘proc.nthreads’ and ‘proc.nchilds’ are equal | all | all |
proc.nchilds | UINT64 | The number of alive not leader threads that the process generating the event currently has. This excludes the leader thread. | all | all |
thread.cpu | DOUBLE | The CPU consumed by the thread in the last second. | all | all |
thread.cpu.user | DOUBLE | The user CPU consumed by the thread in the last second. | all | all |
thread.cpu.system | DOUBLE | The system CPU consumed by the thread in the last second. | all | all |
thread.vmsize | UINT64 | For the process main thread, this is the total virtual memory for the process (as kb). For the other threads, this field is zero. | all | all |
thread.vmrss | UINT64 | For the process main thread, this is the resident non-swapped memory for the process (as kb). For the other threads, this field is zero. | all | all |
proc.stdin.type | CHARBUF | The type of file descriptor 0, corresponding to stdin, of the process generating the event. | 13.4.0 and above | all |
proc.stdout.type | CHARBUF | The type of file descriptor 1, corresponding to stdout, of the process generating the event. | 13.4.0 and above | all |
proc.stderr.type | CHARBUF | The type of file descriptor 2, corresponding to stderr, of the process generating the event. | 13.4.0 and above | all |
proc.stdin.name | CHARBUF | The name of the file descriptor 0, corresponding to stdin, of the process generating the event. | 13.4.0 and above | all |
proc.stdout.name | CHARBUF | The name of the file descriptor 1, corresponding to stdout, of the process generating the event. | 13.4.0 and above | all |
proc.stderr.name | CHARBUF | The name of the file descriptor 2, corresponding to stderr, of the process generating the event. | 13.4.0 and above | all |
Field Class: user
Information about the user executing the specific event.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
user.uid | UINT32 | user ID. | all | all |
user.name | CHARBUF | user name. | all | all |
user.homedir | CHARBUF | home directory of the user. | all | all |
user.shell | CHARBUF | user’s shell. | all | all |
user.loginuid | INT64 | audit user id (auid), internally the loginuid is of type uint32_t. However, if an invalid uid corresponding to UINT32_MAX is encountered, it is returned as -1 to support familiar filtering conditions. | all | all |
user.loginname | CHARBUF | audit user name (auid). | all | all |
Field Class: group
Information about the user group.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
group.gid | UINT32 | group ID. | all | all |
group.name | CHARBUF | group name. | all | all |
Field Class: fd
Every syscall that has a file descriptor in its arguments has these fields set with information related to the file.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
fd.num | INT64 | the unique number identifying the file descriptor. | all | all |
fd.type | CHARBUF | type of FD. Can be ‘file’, ‘directory’, ‘ipv4’, ‘ipv6’, ‘unix’, ‘pipe’, ’event’, ‘signalfd’, ’eventpoll’, ‘inotify’ ‘signalfd’ or ‘memfd’. | all | all |
fd.typechar | CHARBUF | type of FD as a single character. Can be ‘f’ for file, 4 for IPv4 socket, 6 for IPv6 socket, ‘u’ for unix socket, p for pipe, ’e’ for eventfd, ’s’ for signalfd, ’l’ for eventpoll, ‘i’ for inotify, ‘b’ for bpf, ‘u’ for userfaultd, ‘r’ for io_uring, ’m’ for memfd ,‘o’ for unknown. | all | all |
fd.name | CHARBUF | FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. | all | all |
fd.directory | CHARBUF | If the fd is a file, the directory that contains it. | all | all |
fd.filename | CHARBUF | If the fd is a file, the filename without the path. | all | all |
fd.ip | IPADDR | matches the ip address (client or server) of the fd. | all | all |
fd.cip | IPADDR | client IP address. | all | all |
fd.sip | IPADDR | server IP address. | all | all |
fd.lip | IPADDR | local IP address. | all | all |
fd.rip | IPADDR | remote IP address. | all | all |
fd.port | PORT | matches the port (either client or server) of the fd. | all | all |
fd.cport | PORT | for TCP/UDP FDs, the client port. | all | all |
fd.sport | PORT | for TCP/UDP FDs, server port. | all | all |
fd.lport | PORT | for TCP/UDP FDs, the local port. | all | all |
fd.rport | PORT | for TCP/UDP FDs, the remote port. | all | all |
fd.l4proto | CHARBUF | the IP protocol of a socket. Can be ’tcp’, ‘udp’, ‘icmp’ or ‘raw’. | all | all |
fd.sockfamily | CHARBUF | the socket family for socket events. Can be ‘ip’ or ‘unix’. | all | all |
fd.is_server | BOOL | ’true’ if the process owning this FD is the server endpoint in the connection. | all | all |
fd.uid | CHARBUF | a unique identifier for the FD, created by chaining the FD number and the thread ID. | all | all |
fd.containername | CHARBUF | chaining of the container ID and the FD name. Useful when trying to identify which container an FD belongs to. | all | all |
fd.containerdirectory | CHARBUF | chaining of the container ID and the directory name. Useful when trying to identify which container a directory belongs to. | all | all |
fd.proto | PORT | matches the protocol (either client or server) of the fd. | all | all |
fd.cproto | CHARBUF | for TCP/UDP FDs, the client protocol. | all | all |
fd.sproto | CHARBUF | for TCP/UDP FDs, server protocol. | all | all |
fd.lproto | CHARBUF | for TCP/UDP FDs, the local protocol. | all | all |
fd.rproto | CHARBUF | for TCP/UDP FDs, the remote protocol. | all | all |
fd.net | IPNET | matches the IP network (client or server) of the fd. | all | all |
fd.cnet | IPNET | matches the client IP network of the fd. | all | all |
fd.snet | IPNET | matches the server IP network of the fd. | all | all |
fd.lnet | IPNET | matches the local IP network of the fd. | all | all |
fd.rnet | IPNET | matches the remote IP network of the fd. | all | all |
fd.connected | BOOL | for TCP/UDP FDs, ’true’ if the socket is connected. | all | all |
fd.name_changed | BOOL | True when an event changes the name of an fd used by this event. This can occur in some cases such as udp connections where the connection tuple changes. | all | all |
fd.cip.name | CHARBUF | Domain name associated with the client IP address. | all | all |
fd.sip.name | CHARBUF | Domain name associated with the server IP address. | all | all |
fd.lip.name | CHARBUF | Domain name associated with the local IP address. | all | all |
fd.rip.name | CHARBUF | Domain name associated with the remote IP address. | all | all |
fd.dev | INT32 | device number (major/minor) containing the referenced file | all | all |
fd.dev.major | INT32 | major device number containing the referenced file | all | all |
fd.dev.minor | INT32 | minor device number containing the referenced file | all | all |
fd.ino | INT64 | inode number of the referenced file | all | all |
fd.nameraw | CHARBUF | FD full name raw. Just like fd.name, but only used if fd is a file path. File path is kept raw with limited sanitization and without deriving the absolute path. | all | all |
fd.types | CHARBUF | List of FD types in used. Can be passed an fd number e.g. fd.types[0] to get the type of stdout as a single item list. | all | all |
fd.is_upper_layer | BOOL | ’true’ if the fd is of a file in the upper layer of an overlayfs. | 13.5.0 and above | all |
fd.is_lower_layer | BOOL | ’true’ if the fd is of a file in the lower layer of an overlayfs. | 13.5.0 and above | all |
Field Class: fs.path
Every syscall that has a filesystem path in its arguments has these fields set with information related to the path arguments. This differs from the fd.* fields as it includes syscalls like unlink, rename, etc. that act directly on filesystem paths as compared to opened file descriptors.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
fs.path.name | CHARBUF | For any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. | all | all |
fs.path.nameraw | CHARBUF | For any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved. | all | all |
fs.path.source | CHARBUF | For any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. | all | all |
fs.path.sourceraw | CHARBUF | For any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved. | all | all |
fs.path.target | CHARBUF | For any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. | all | all |
fs.path.targetraw | CHARBUF | For any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved. | all | all |
Field Class: syslog
Content of Syslog messages.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
syslog.facility.str | CHARBUF | facility as a string. | all | all |
syslog.facility | UINT32 | facility as a number (0-23). | all | all |
syslog.severity.str | CHARBUF | severity as a string. Can have one of these values: emerg, alert, crit, err, warn, notice, info, debug | all | all |
syslog.severity | UINT32 | severity as a number (0-7). | all | all |
syslog.message | CHARBUF | message sent to syslog. | all | all |
Field Class: fdlist
Poll event related fields.
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
fdlist.nums | CHARBUF | for poll events, this is a comma-separated list of the FD numbers in the ‘fds’ argument, returned as a string. | all | all |
fdlist.names | CHARBUF | for poll events, this is a comma-separated list of the FD names in the ‘fds’ argument, returned as a string. | all | all |
fdlist.cips | CHARBUF | for poll events, this is a comma-separated list of the client IP addresses in the ‘fds’ argument, returned as a string. | all | all |
fdlist.sips | CHARBUF | for poll events, this is a comma-separated list of the server IP addresses in the ‘fds’ argument, returned as a string. | all | all |
fdlist.cports | CHARBUF | for TCP/UDP FDs, for poll events, this is a comma-separated list of the client TCP/UDP ports in the ‘fds’ argument, returned as a string. | all | all |
fdlist.sports | CHARBUF | for poll events, this is a comma-separated list of the server TCP/UDP ports in the ‘fds’ argument, returned as a string. | all | all |
Field Class: container (plugin)
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
container.id | CHARBUF | The truncated container ID (first 12 characters), e.g. 3ad7b26ded6d is extracted from the Linux cgroups by Falco within the kernel. Consequently, this field is reliably available and serves as the lookup key for Falco’s synchronous or asynchronous requests against the container runtime socket to retrieve all other ‘container.’ information. One important aspect to be aware of is that if the process occurs on the host, meaning not in the container PID namespace, this field is set to a string called ‘host’. In Kubernetes, pod sandbox container processes can exist where container.id matches k8s.pod.sandbox_id, lacking other ‘container.’ details. | all | up to 6.1.0 |
container.full_id | CHARBUF | The full container ID, e.g. 3ad7b26ded6d8e7b23da7d48fe889434573036c27ae5a74837233de441c3601e. In contrast to container.id, we enrich this field as part of the container engine enrichment. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.name | CHARBUF | The container name. In instances of userspace container engine lookup delays, this field may not be available yet. One important aspect to be aware of is that if the process occurs on the host, meaning not in the container PID namespace, this field is set to a string called ‘host’. | all | up to 6.1.0 |
container.image | CHARBUF | The container image name (e.g. falcosecurity/falco:latest for docker). In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.image.id | CHARBUF | The container image id (e.g. 6f7e2741b66b). In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.type | CHARBUF | The container type, e.g. docker, cri-o, containerd etc. | all | up to 6.1.0 |
container.privileged | BOOL | ’true’ for containers running as privileged, ‘false’ otherwise. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.mounts | CHARBUF | A space-separated list of mount information. Each item in the list has the format ‘source:dest:mode:rdrw:propagation’. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.mount | CHARBUF | Information about a single mount, specified by number (e.g. container.mount[0]) or mount source (container.mount[/usr/local]). The pathname can be a glob (container.mount[/usr/local/*]), in which case the first matching mount will be returned. The information has the format ‘source:dest:mode:rdrw:propagation’. If there is no mount with the specified index or matching the provided source, returns the string “none” instead of a NULL value. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.mount.source | CHARBUF | The mount source, specified by number (e.g. container.mount.source[0]) or mount destination (container.mount.source[/host/lib/modules]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.mount.dest | CHARBUF | The mount destination, specified by number (e.g. container.mount.dest[0]) or mount source (container.mount.dest[/lib/modules]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.mount.mode | CHARBUF | The mount mode, specified by number (e.g. container.mount.mode[0]) or mount source (container.mount.mode[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.mount.rdwr | CHARBUF | The mount rdwr value, specified by number (e.g. container.mount.rdwr[0]) or mount source (container.mount.rdwr[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.mount.propagation | CHARBUF | The mount propagation value, specified by number (e.g. container.mount.propagation[0]) or mount source (container.mount.propagation[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.image.repository | CHARBUF | The container image repository (e.g. falcosecurity/falco). In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.image.tag | CHARBUF | The container image tag (e.g. stable, latest). In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.image.digest | CHARBUF | The container image registry digest (e.g. sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27). In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.healthcheck | CHARBUF | The container’s health check. Will be the null value (“N/A”) if no healthcheck configured, “NONE” if configured but explicitly not created, and the healthcheck command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.liveness_probe | CHARBUF | The container’s liveness probe. Will be the null value (“N/A”) if no liveness probe configured, the liveness probe command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.readiness_probe | CHARBUF | The container’s readiness probe. Will be the null value (“N/A”) if no readiness probe configured, the readiness probe command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.start_ts | ABSTIME | Container start as epoch timestamp in nanoseconds based on proc.pidns_init_start_ts and extracted in the kernel and not from the container runtime socket / container engine. | all | up to 6.1.0 |
container.duration | RELTIME | Number of nanoseconds since container.start_ts. | all | up to 6.1.0 |
container.ip | CHARBUF | The container’s / pod’s primary ip address as retrieved from the container engine. Only ipv4 addresses are tracked. Consider container.cni.json (CRI use case) for logging ip addresses for each network interface. In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.cni.json | CHARBUF | The container’s / pod’s CNI result field from the respective pod status info. It contains ip addresses for each network interface exposed as unparsed escaped JSON string. Supported for CRI container engine (containerd, cri-o runtimes), optimized for containerd (some non-critical JSON keys removed). Useful for tracking ips (ipv4 and ipv6, dual-stack support) for each network interface (multi-interface support). In instances of userspace container engine lookup delays, this field may not be available yet. | all | up to 6.1.0 |
container.host_pid | BOOL | ’true’ if the container is running in the host PID namespace, ‘false’ otherwise. | 13.6.0 and above | from 5.3.0 to 6.1.0 |
container.host_network | BOOL | ’true’ if the container is running in the host network namespace, ‘false’ otherwise. | 13.6.0 and above | from 5.3.0 to 6.1.0 |
container.host_ipc | BOOL | ’true’ if the container is running in the host IPC namespace, ‘false’ otherwise. | 13.6.0 and above | from 5.3.0 to 6.1.0 |
container.label | CHARBUF | Container label. E.g. ‘container.label.foo’. | 14.3.0 and above | — |
container.labels | CHARBUF | Container comma-separated key/value labels. E.g. ‘foo1:bar1,foo2:bar2’. | 14.3.0 and above | — |
proc.is_container_healthcheck | BOOL | ’true’ if this process is running as a part of the container’s health check. | 14.3.0 and above | — |
proc.is_container_liveness_probe | BOOL | ’true’ if this process is running as a part of the container’s liveness probe. | 14.3.0 and above | — |
proc.is_container_readiness_probe | BOOL | ’true’ if this process is running as a part of the container’s readiness probe. | 14.3.0 and above | — |
k8s.pod.name | CHARBUF | The Kubernetes pod name. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.ns.name | CHARBUF | The Kubernetes namespace name. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.pod.id | CHARBUF | [LEGACY] The Kubernetes pod UID, e.g. 3e41dc6b-08a8-44db-bc2a-3724b18ab19a. This legacy field points to k8s.pod.uid; however, the pod ID typically refers to the pod sandbox ID. We recommend using the semantically more accurate k8s.pod.uid field. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.pod.uid | CHARBUF | The Kubernetes pod UID, e.g. 3e41dc6b-08a8-44db-bc2a-3724b18ab19a. Note that the pod UID is a unique identifier assigned upon pod creation within Kubernetes, allowing the Kubernetes control plane to manage and track pods reliably. As such, it is fundamentally a different concept compared to the pod sandbox ID. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.pod.sandbox_id | CHARBUF | The truncated Kubernetes pod sandbox ID (first 12 characters), e.g 63060edc2d3a. The sandbox ID is specific to the container runtime environment. It is the equivalent of the container ID for the pod / sandbox and extracted from the Linux cgroups. As such, it differs from the pod UID. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.’ fields. In cases of lookup delays, it may not be available yet. In Kubernetes, pod sandbox container processes can exist where container.id matches k8s.pod.sandbox_id, lacking other ‘container.’ details. | 14.3.0 and above | — |
k8s.pod.full_sandbox_id | CHARBUF | The full Kubernetes pod / sandbox ID, e.g 63060edc2d3aa803ab559f2393776b151f99fc5b05035b21db66b3b62246ad6a. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.pod.label | CHARBUF | The Kubernetes pod label. The label can be accessed either with the familiar brackets notation, e.g. ‘k8s.pod.label[foo]’ or by appending a dot followed by the name, e.g. ‘k8s.pod.label.foo’. The label name itself can include the original special characters such as ‘.’, ‘-’, ‘_’ or ‘/’ characters. For instance, ‘k8s.pod.label[app.kubernetes.io/name]’, ‘k8s.pod.label.app.kubernetes.io/name’ or ‘k8s.pod.label[custom-label_one]’ are all valid. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.pod.labels | CHARBUF | The Kubernetes pod comma-separated key/value labels. E.g. ‘foo1:bar1,foo2:bar2’. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.pod.ip | CHARBUF | The Kubernetes pod ip, same as container.ip field as each container in a pod shares the network stack of the sandbox / pod. Only ipv4 addresses are tracked. Consider k8s.pod.cni.json for logging ip addresses for each network interface. This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
k8s.pod.cni.json | CHARBUF | The Kubernetes pod CNI result field from the respective pod status info, same as container.cni.json field. It contains ip addresses for each network interface exposed as unparsed escaped JSON string. Supported for CRI container engine (containerd, cri-o runtimes), optimized for containerd (some non-critical JSON keys removed). Useful for tracking ips (ipv4 and ipv6, dual-stack support) for each network interface (multi-interface support). This field is extracted from the container runtime socket simultaneously as we look up the ‘container.*’ fields. In cases of lookup delays, it may not be available yet. | 14.3.0 and above | — |
Field Class: security-dns (plugin)
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
dns.domain | CHARBUF | The domain being queried (e.g. sysdig.com) as a string. | all | all |
dns.query_type | CHARBUF | The type of lookup (e.g. A, AAAA, CNAME) of the query as a string. | all | all |
dns.query_class | CHARBUF | The class of lookup (e.g. IN) as a string. | all | all |
dns.success | BOOL | Whether the query was successful or not as a boolean value. | all | all |
dns.type | CHARBUF | The type of DNS event as a string, either “query” or “response”. | all | all |
dns.result | UINT64 | The result code (RCODE) of the query, 0 on success, see RFC-1035 for other values. | all | all |
dns.truncated | BOOL | Whether or not the query was truncated as a boolean value. | all | all |
dns.query.domains | CHARBUF | A list of all the domains being queried as strings. | all | all |
dns.query.domain | CHARBUF | An indexed field for the domain being queried as a string. | all | all |
dns.query.type | CHARBUF | An indexed field for the type of query (e.g. A, AAAA, CNAME) being queried as a string. | all | all |
dns.query.class | CHARBUF | An indexed field for the class of query (e.g. IN) being queried as a string. | all | all |
dns.query.lengths | UINT64 | The total length of the string of each domain being looked up. | all | all |
dns.query.length | UINT64 | An indexed field for the length of the domain string in each query. | all | all |
dns.response.domains | CHARBUF | A list of all the domains in the response as strings. | all | all |
dns.response.domain | CHARBUF | An indexed field for each domain in the response as a string. | all | all |
dns.response.ttl | UINT64 | An indexed field for The Time To Live of the record as an integer | all | all |
dns.response.type | CHARBUF | An indexed field for the type of respose (e.g. A, AAAA, CNAME) as a string. This can differ from what was originally queried. | all | all |
dns.response.class | CHARBUF | An indexed field for the class of respose (e.g. IN) as a string. | all | all |
dns.response.values | CHARBUF | A list containing the value of each response as a string. | all | all |
dns.response.value | CHARBUF | An indexed field for the class of respose (e.g. IN) as a string. | all | all |
dns.response.cnames | CHARBUF | A list of all the CNAMES in the response as strings. This will be empty if no CNAME records are present. | all | all |
dns.response.cname | CHARBUF | An indexed field for CNAME response records. This will be empty if the given index is not a CNAME. | all | all |
dns.response.txts | CHARBUF | A list of all the TXT records in the response as strings. This will be empty if no TXT records are present. | all | all |
dns.response.txt | CHARBUF | An indexed field for TXT response records. This will be empty if the given index is not a TXT record. | all | all |
dns.response.srvs | CHARBUF | A list of all the SRV records in the response as strings. This will be empty if no SRV records are present. | all | all |
dns.response.srv | CHARBUF | An indexed field for SRV response records. This will be empty if the given index is not an SRV record. | all | all |
dns.response.ips | IPADDR | List of IP addresses in the response. | all | all |
dns.response.ip | IPADDR | An indexed field for ip address (A, AAAA) response records. This will be empty if the given index is not an A or AAAA record. | all | all |
dns.server_ip | IPADDR | The ip address of the DNS server. | all | all |
connect.domains | CHARBUF | Domain names which map to fd.sip in the connect syscall | all | all |
Field Class: security-hashing (plugin)
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
proc.hash.sha256 | CHARBUF | The hash of the file executed by this process | all | all |
proc.hash.has_match | BOOL | Whether or not the hash of the file beeing executed by this process has a match in the hash database | all | all |
proc.hash.category | CHARBUF | In case proc.has_match is true, the category of the malware being executed | all | all |
fd.hash.sha256 | CHARBUF | The hash of the file | 13.6.0 and above | all |
fd.hash.has_match | BOOL | Whether or not the hash of the filehas a match in the hash database | 13.6.0 and above | all |
fd.hash.category | CHARBUF | In case fd.has_match is true, the category of the malware | 13.6.0 and above | all |
fd.hash.num | UINT64 | File descriptor number of the hashed file | 13.6.0 and above | all |
Field Class: security-fim (plugin)
| Name | Type | Description | Linux versions | Serverless versions |
|---|---|---|---|---|
fim.path | CHARBUF | The path of the file that triggered the file integrity monitoring event | 14.3.0 and above | — |
fim.filename | CHARBUF | The name of the file that triggered the file integrity monitoring event | 14.3.0 and above | — |
fim.old_hash.sha256 | CHARBUF | The SHA256 hash value computed from the file contents prior to the modification being detected | 14.3.0 and above | — |
fim.new_hash.sha256 | CHARBUF | The SHA256 hash value computed from the file contents after the modification event was detected | 14.3.0 and above | — |
fim.type | CHARBUF | The type of FIM event that occurred, such as file modification or deletion | 14.3.0 and above | — |
Events
Syscall events
| Default | Dir | Name | Params | Linux versions | Serverless versions |
|---|---|---|---|---|---|
| Yes | > | open | FSPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER, UINT32 mode | all | all |
| Yes | < | open | FD fd, FSPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER, UINT32 mode, UINT32 dev, UINT64 ino | all | all |
| Yes | > | close | FD fd | all | all |
| Yes | < | close | ERRNO res | all | all |
| No | > | read | FD fd, UINT32 size | all | all |
| No | < | read | ERRNO res, BYTEBUF data, FD fd, UINT32 size | all | all |
| No | > | write | FD fd, UINT32 size | all | all |
| No | < | write | ERRNO res, BYTEBUF data, FD fd, UINT32 size | all | all |
| Yes | > | socket | ENUMFLAGS32 domain: AF_NFC, AF_ALG, AF_CAIF, AF_IEEE802154, AF_PHONET, AF_ISDN, AF_RXRPC, AF_IUCV, AF_BLUETOOTH, AF_TIPC, AF_CAN, AF_LLC, AF_WANPIPE, AF_PPPOX, AF_IRDA, AF_SNA, AF_RDS, AF_ATMSVC, AF_ECONET, AF_ASH, AF_PACKET, AF_ROUTE, AF_NETLINK, AF_KEY, AF_SECURITY, AF_NETBEUI, AF_DECnet, AF_ROSE, AF_INET6, AF_X25, AF_ATMPVC, AF_BRIDGE, AF_NETROM, AF_APPLETALK, AF_IPX, AF_AX25, AF_INET, AF_LOCAL, AF_UNIX, AF_UNSPEC, UINT32 type, UINT32 proto | all | all |
| Yes | < | socket | FD fd, ENUMFLAGS32 domain: AF_NFC, AF_ALG, AF_CAIF, AF_IEEE802154, AF_PHONET, AF_ISDN, AF_RXRPC, AF_IUCV, AF_BLUETOOTH, AF_TIPC, AF_CAN, AF_LLC, AF_WANPIPE, AF_PPPOX, AF_IRDA, AF_SNA, AF_RDS, AF_ATMSVC, AF_ECONET, AF_ASH, AF_PACKET, AF_ROUTE, AF_NETLINK, AF_KEY, AF_SECURITY, AF_NETBEUI, AF_DECnet, AF_ROSE, AF_INET6, AF_X25, AF_ATMPVC, AF_BRIDGE, AF_NETROM, AF_APPLETALK, AF_IPX, AF_AX25, AF_INET, AF_LOCAL, AF_UNIX, AF_UNSPEC, UINT32 type, UINT32 proto | all | all |
| Yes | > | bind | FD fd | all | all |
| Yes | < | bind | ERRNO res, SOCKADDR addr, FD fd | all | all |
| Yes | > | connect | FD fd, SOCKADDR addr | all | all |
| Yes | < | connect | ERRNO res, SOCKTUPLE tuple, FD fd | all | all |
| Yes | > | listen | FD fd, INT32 backlog | all | all |
| Yes | < | listen | ERRNO res, FD fd, INT32 backlog | all | all |
| No | > | send | FD fd, UINT32 size | all | all |
| No | < | send | ERRNO res, BYTEBUF data | all | all |
| Yes | > | sendto | FD fd, UINT32 size, SOCKTUPLE tuple | all | all |
| Yes | < | sendto | ERRNO res, BYTEBUF data | all | all |
| No | > | recv | FD fd, UINT32 size | all | all |
| No | < | recv | ERRNO res, BYTEBUF data | all | all |
| Yes | > | recvfrom | FD fd, UINT32 size | all | all |
| Yes | < | recvfrom | ERRNO res, BYTEBUF data, SOCKTUPLE tuple | all | all |
| Yes | > | shutdown | FD fd, ENUMFLAGS8 how: SHUT_UNKNOWN, SHUT_RDWR, SHUT_WR, SHUT_RD | all | all |
| Yes | < | shutdown | ERRNO res | all | all |
| Yes | > | getsockname | all | all | |
| Yes | < | getsockname | all | all | |
| Yes | > | getpeername | all | all | |
| Yes | < | getpeername | all | all | |
| Yes | > | socketpair | ENUMFLAGS32 domain: AF_NFC, AF_ALG, AF_CAIF, AF_IEEE802154, AF_PHONET, AF_ISDN, AF_RXRPC, AF_IUCV, AF_BLUETOOTH, AF_TIPC, AF_CAN, AF_LLC, AF_WANPIPE, AF_PPPOX, AF_IRDA, AF_SNA, AF_RDS, AF_ATMSVC, AF_ECONET, AF_ASH, AF_PACKET, AF_ROUTE, AF_NETLINK, AF_KEY, AF_SECURITY, AF_NETBEUI, AF_DECnet, AF_ROSE, AF_INET6, AF_X25, AF_ATMPVC, AF_BRIDGE, AF_NETROM, AF_APPLETALK, AF_IPX, AF_AX25, AF_INET, AF_LOCAL, AF_UNIX, AF_UNSPEC, UINT32 type, UINT32 proto | all | all |
| Yes | < | socketpair | ERRNO res, FD fd1, FD fd2, UINT64 source, UINT64 peer | all | all |
| Yes | > | setsockopt | all | all | |
| Yes | < | setsockopt | ERRNO res, FD fd, ENUMFLAGS8 level: SOL_SOCKET, SOL_TCP, UNKNOWN, ENUMFLAGS8 optname: SO_COOKIE, SO_MEMINFO, SO_PEERGROUPS, SO_ATTACH_BPF, SO_INCOMING_CPU, SO_BPF_EXTENSIONS, SO_MAX_PACING_RATE, SO_BUSY_POLL, SO_SELECT_ERR_QUEUE, SO_LOCK_FILTER, SO_NOFCS, SO_PEEK_OFF, SO_WIFI_STATUS, SO_RXQ_OVFL, SO_DOMAIN, SO_PROTOCOL, SO_TIMESTAMPING, SO_MARK, SO_TIMESTAMPNS, SO_PASSSEC, SO_PEERSEC, SO_ACCEPTCONN, SO_TIMESTAMP, SO_PEERNAME, SO_DETACH_FILTER, SO_ATTACH_FILTER, SO_BINDTODEVICE, SO_SECURITY_ENCRYPTION_NETWORK, SO_SECURITY_ENCRYPTION_TRANSPORT, SO_SECURITY_AUTHENTICATION, SO_SNDTIMEO, SO_RCVTIMEO, SO_SNDLOWAT, SO_RCVLOWAT, SO_PEERCRED, SO_PASSCRED, SO_REUSEPORT, SO_BSDCOMPAT, SO_LINGER, SO_PRIORITY, SO_NO_CHECK, SO_OOBINLINE, SO_KEEPALIVE, SO_RCVBUFFORCE, SO_SNDBUFFORCE, SO_RCVBUF, SO_SNDBUF, SO_BROADCAST, SO_DONTROUTE, SO_ERROR, SO_TYPE, SO_REUSEADDR, SO_DEBUG, UNKNOWN, DYNAMIC val, UINT32 optlen | all | all |
| Yes | > | getsockopt | all | all | |
| Yes | < | getsockopt | ERRNO res, FD fd, ENUMFLAGS8 level: SOL_SOCKET, SOL_TCP, UNKNOWN, ENUMFLAGS8 optname: SO_COOKIE, SO_MEMINFO, SO_PEERGROUPS, SO_ATTACH_BPF, SO_INCOMING_CPU, SO_BPF_EXTENSIONS, SO_MAX_PACING_RATE, SO_BUSY_POLL, SO_SELECT_ERR_QUEUE, SO_LOCK_FILTER, SO_NOFCS, SO_PEEK_OFF, SO_WIFI_STATUS, SO_RXQ_OVFL, SO_DOMAIN, SO_PROTOCOL, SO_TIMESTAMPING, SO_MARK, SO_TIMESTAMPNS, SO_PASSSEC, SO_PEERSEC, SO_ACCEPTCONN, SO_TIMESTAMP, SO_PEERNAME, SO_DETACH_FILTER, SO_ATTACH_FILTER, SO_BINDTODEVICE, SO_SECURITY_ENCRYPTION_NETWORK, SO_SECURITY_ENCRYPTION_TRANSPORT, SO_SECURITY_AUTHENTICATION, SO_SNDTIMEO, SO_RCVTIMEO, SO_SNDLOWAT, SO_RCVLOWAT, SO_PEERCRED, SO_PASSCRED, SO_REUSEPORT, SO_BSDCOMPAT, SO_LINGER, SO_PRIORITY, SO_NO_CHECK, SO_OOBINLINE, SO_KEEPALIVE, SO_RCVBUFFORCE, SO_SNDBUFFORCE, SO_RCVBUF, SO_SNDBUF, SO_BROADCAST, SO_DONTROUTE, SO_ERROR, SO_TYPE, SO_REUSEADDR, SO_DEBUG, UNKNOWN, DYNAMIC val, UINT32 optlen | all | all |
| Yes | > | sendmsg | FD fd, UINT32 size, SOCKTUPLE tuple | all | all |
| Yes | < | sendmsg | ERRNO res, BYTEBUF data | all | all |
| Yes | > | sendmmsg | all | all | |
| Yes | < | sendmmsg | ERRNO res, FD fd, UINT32 size, BYTEBUF data, SOCKTUPLE tuple | all | all |
| Yes | > | recvmsg | FD fd | all | all |
| Yes | < | recvmsg | ERRNO res, UINT32 size, BYTEBUF data, SOCKTUPLE tuple, BYTEBUF msgcontrol | all | all |
| Yes | > | recvmmsg | all | all | |
| Yes | < | recvmmsg | ERRNO res, FD fd, UINT32 size, BYTEBUF data, SOCKTUPLE tuple, BYTEBUF msgcontrol | all | all |
| Yes | > | creat | FSPATH name, UINT32 mode | all | all |
| Yes | < | creat | FD fd, FSPATH name, UINT32 mode, UINT32 dev, UINT64 ino, FLAGS16 creat_flags: FD_UPPER_LAYER_CREAT, FD_LOWER_LAYER_CREAT | all | all |
| Yes | > | pipe | all | all | |
| Yes | < | pipe | ERRNO res, FD fd1, FD fd2, UINT64 ino | all | all |
| Yes | > | eventfd | UINT64 initval, UINT32 flags | all | all |
| Yes | < | eventfd | FD res | all | all |
| Yes | > | futex | UINT64 addr, FLAGS16 op: FUTEX_CLOCK_REALTIME, FUTEX_PRIVATE_FLAG, FUTEX_CMP_REQUEUE_PI, FUTEX_WAIT_REQUEUE_PI, FUTEX_WAKE_BITSET, FUTEX_WAIT_BITSET, FUTEX_TRYLOCK_PI, FUTEX_UNLOCK_PI, FUTEX_LOCK_PI, FUTEX_WAKE_OP, FUTEX_CMP_REQUEUE, FUTEX_REQUEUE, FUTEX_FD, FUTEX_WAKE, FUTEX_WAIT, UINT64 val | all | all |
| Yes | < | futex | ERRNO res | all | all |
| Yes | > | stat | all | all | |
| Yes | < | stat | ERRNO res, FSPATH path | all | all |
| Yes | > | lstat | all | all | |
| Yes | < | lstat | ERRNO res, FSPATH path | all | all |
| Yes | > | fstat | FD fd | all | all |
| Yes | < | fstat | ERRNO res | all | all |
| Yes | > | stat64 | all | all | |
| Yes | < | stat64 | ERRNO res, FSPATH path | all | all |
| Yes | > | lstat64 | all | all | |
| Yes | < | lstat64 | ERRNO res, FSPATH path | all | all |
| Yes | > | fstat64 | FD fd | all | all |
| Yes | < | fstat64 | ERRNO res | all | all |
| Yes | > | epoll_wait | ERRNO maxevents | all | all |
| Yes | < | epoll_wait | ERRNO res | all | all |
| Yes | > | poll | FDLIST fds, INT64 timeout | all | all |
| Yes | < | poll | ERRNO res, FDLIST fds | all | all |
| Yes | > | select | all | all | |
| Yes | < | select | ERRNO res | all | all |
| Yes | > | lseek | FD fd, UINT64 offset, ENUMFLAGS8 whence: SEEK_END, SEEK_CUR, SEEK_SET | all | all |
| Yes | < | lseek | ERRNO res | all | all |
| Yes | > | llseek | FD fd, UINT64 offset, ENUMFLAGS8 whence: SEEK_END, SEEK_CUR, SEEK_SET | all | all |
| Yes | < | llseek | ERRNO res | all | all |
| Yes | > | getcwd | all | all | |
| Yes | < | getcwd | ERRNO res, CHARBUF path | all | all |
| Yes | > | chdir | all | all | |
| Yes | < | chdir | ERRNO res, CHARBUF path | all | all |
| Yes | > | fchdir | FD fd | all | all |
| Yes | < | fchdir | ERRNO res | all | all |
| No | > | pread | FD fd, UINT32 size, UINT64 pos | all | all |
| No | < | pread | ERRNO res, BYTEBUF data, FD fd, UINT32 size, UINT64 pos | all | all |
| No | > | pwrite | FD fd, UINT32 size, UINT64 pos | all | all |
| No | < | pwrite | ERRNO res, BYTEBUF data, FD fd, UINT32 size, UINT64 pos | all | all |
| No | > | readv | FD fd | all | all |
| No | < | readv | ERRNO res, UINT32 size, BYTEBUF data | all | all |
| No | > | writev | FD fd, UINT32 size | all | all |
| No | < | writev | ERRNO res, BYTEBUF data | all | all |
| No | > | preadv | FD fd, UINT64 pos | all | all |
| No | < | preadv | ERRNO res, UINT32 size, BYTEBUF data | all | all |
| No | > | pwritev | FD fd, UINT32 size, UINT64 pos | all | all |
| No | < | pwritev | ERRNO res, BYTEBUF data | all | all |
| Yes | > | signalfd | FD fd, UINT32 mask, UINT8 flags | all | all |
| Yes | < | signalfd | FD res | all | all |
| Yes | > | kill | PID pid, SIGTYPE sig | all | all |
| Yes | < | kill | ERRNO res | all | all |
| Yes | > | tkill | PID tid, SIGTYPE sig | all | all |
| Yes | < | tkill | ERRNO res | all | all |
| Yes | > | tgkill | PID pid, PID tid, SIGTYPE sig | all | all |
| Yes | < | tgkill | ERRNO res | all | all |
| Yes | > | nanosleep | RELTIME interval | all | all |
| Yes | < | nanosleep | ERRNO res | all | all |
| Yes | > | timerfd_create | UINT8 clockid, UINT8 flags | all | all |
| Yes | < | timerfd_create | FD res | all | all |
| Yes | > | inotify_init | UINT8 flags | all | all |
| Yes | < | inotify_init | FD res | all | all |
| Yes | > | getrlimit | ENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU | all | all |
| Yes | < | getrlimit | ERRNO res, INT64 cur, INT64 max | all | all |
| Yes | > | setrlimit | ENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU | all | all |
| Yes | < | setrlimit | ERRNO res, INT64 cur, INT64 max, ENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU | all | all |
| Yes | > | prlimit | PID pid, ENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU | all | all |
| Yes | < | prlimit | ERRNO res, INT64 newcur, INT64 newmax, INT64 oldcur, INT64 oldmax, INT64 pid, ENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU | all | all |
| Yes | > | fcntl | FD fd, ENUMFLAGS8 cmd: F_GETPIPE_SZ, F_SETPIPE_SZ, F_NOTIFY, F_DUPFD_CLOEXEC, F_CANCELLK, F_GETLEASE, F_SETLEASE, F_GETOWN_EX, F_SETOWN_EX, F_SETLKW64, F_SETLK64, F_GETLK64, F_GETSIG, F_SETSIG, F_GETOWN, F_SETOWN, F_SETLKW, F_SETLK, F_GETLK, F_SETFL, F_GETFL, F_SETFD, F_GETFD, F_DUPFD, F_OFD_GETLK, F_OFD_SETLK, F_OFD_SETLKW, UNKNOWN | all | all |
| Yes | < | fcntl | FD res, FD fd, ENUMFLAGS8 cmd: F_GETPIPE_SZ, F_SETPIPE_SZ, F_NOTIFY, F_DUPFD_CLOEXEC, F_CANCELLK, F_GETLEASE, F_SETLEASE, F_GETOWN_EX, F_SETOWN_EX, F_SETLKW64, F_SETLK64, F_GETLK64, F_GETSIG, F_SETSIG, F_GETOWN, F_SETOWN, F_SETLKW, F_SETLK, F_GETLK, F_SETFL, F_GETFL, F_SETFD, F_GETFD, F_DUPFD, F_OFD_GETLK, F_OFD_SETLK, F_OFD_SETLKW, UNKNOWN | all | all |
| Yes | > | brk | UINT64 addr | all | all |
| Yes | < | brk | UINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap | all | all |
| Yes | > | mmap | UINT64 addr, UINT64 length, FLAGS32 prot: PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM, PROT_GROWSDOWN, PROT_GROWSUP, PROT_SAO, PROT_NONE, FLAGS32 flags: MAP_SHARED, MAP_PRIVATE, MAP_FIXED, MAP_ANONYMOUS, MAP_32BIT, MAP_RENAME, MAP_NORESERVE, MAP_POPULATE, MAP_NONBLOCK, MAP_GROWSDOWN, MAP_DENYWRITE, MAP_EXECUTABLE, MAP_INHERIT, MAP_FILE, MAP_LOCKED, FD fd, UINT64 offset | all | all |
| Yes | < | mmap | ERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap | all | all |
| Yes | > | mmap2 | UINT64 addr, UINT64 length, FLAGS32 prot: PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM, PROT_GROWSDOWN, PROT_GROWSUP, PROT_SAO, PROT_NONE, FLAGS32 flags: MAP_SHARED, MAP_PRIVATE, MAP_FIXED, MAP_ANONYMOUS, MAP_32BIT, MAP_RENAME, MAP_NORESERVE, MAP_POPULATE, MAP_NONBLOCK, MAP_GROWSDOWN, MAP_DENYWRITE, MAP_EXECUTABLE, MAP_INHERIT, MAP_FILE, MAP_LOCKED, FD fd, UINT64 pgoffset | all | all |
| Yes | < | mmap2 | ERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap | all | all |
| Yes | > | munmap | UINT64 addr, UINT64 length | all | all |
| Yes | < | munmap | ERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap | all | all |
| Yes | > | splice | FD fd_in, FD fd_out, UINT64 size, FLAGS32 flags: SPLICE_F_MOVE, SPLICE_F_NONBLOCK, SPLICE_F_MORE, SPLICE_F_GIFT | all | all |
| Yes | < | splice | ERRNO res | all | all |
| Yes | > | ptrace | ENUMFLAGS16 request: PTRACE_SINGLEBLOCK, PTRACE_SYSEMU_SINGLESTEP, PTRACE_SYSEMU, PTRACE_ARCH_PRCTL, PTRACE_SET_THREAD_AREA, PTRACE_GET_THREAD_AREA, PTRACE_OLDSETOPTIONS, PTRACE_SETFPXREGS, PTRACE_GETFPXREGS, PTRACE_SETFPREGS, PTRACE_GETFPREGS, PTRACE_SETREGS, PTRACE_GETREGS, PTRACE_SETSIGMASK, PTRACE_GETSIGMASK, PTRACE_PEEKSIGINFO, PTRACE_LISTEN, PTRACE_INTERRUPT, PTRACE_SEIZE, PTRACE_SETREGSET, PTRACE_GETREGSET, PTRACE_SETSIGINFO, PTRACE_GETSIGINFO, PTRACE_GETEVENTMSG, PTRACE_SETOPTIONS, PTRACE_SYSCALL, PTRACE_DETACH, PTRACE_ATTACH, PTRACE_SINGLESTEP, PTRACE_KILL, PTRACE_CONT, PTRACE_POKEUSR, PTRACE_POKEDATA, PTRACE_POKETEXT, PTRACE_PEEKUSR, PTRACE_PEEKDATA, PTRACE_PEEKTEXT, PTRACE_TRACEME, PTRACE_UNKNOWN, PID pid | all | all |
| Yes | < | ptrace | ERRNO res, DYNAMIC addr, DYNAMIC data | all | all |
| Yes | > | ioctl | FD fd, UINT64 request, UINT64 argument | all | all |
| Yes | < | ioctl | ERRNO res | all | all |
| Yes | > | rename | all | all | |
| Yes | < | rename | ERRNO res, FSPATH oldpath, FSPATH newpath | all | all |
| Yes | > | renameat | all | all | |
| Yes | < | renameat | ERRNO res, FD olddirfd, FSRELPATH oldpath, FD newdirfd, FSRELPATH newpath | all | all |
| Yes | > | symlink | all | all | |
| Yes | < | symlink | ERRNO res, CHARBUF target, FSPATH linkpath | all | all |
| Yes | > | symlinkat | all | all | |
| Yes | < | symlinkat | ERRNO res, CHARBUF target, FD linkdirfd, FSRELPATH linkpath | all | all |
| No | > | sendfile | FD out_fd, FD in_fd, UINT64 offset, UINT64 size | all | all |
| No | < | sendfile | ERRNO res, UINT64 offset | all | all |
| Yes | > | quotactl | FLAGS16 cmd: Q_QUOTAON, Q_QUOTAOFF, Q_GETFMT, Q_GETINFO, Q_SETINFO, Q_GETQUOTA, Q_SETQUOTA, Q_SYNC, Q_XQUOTAON, Q_XQUOTAOFF, Q_XGETQUOTA, Q_XSETQLIM, Q_XGETQSTAT, Q_XQUOTARM, Q_XQUOTASYNC, FLAGS8 type: USRQUOTA, GRPQUOTA, UINT32 id, FLAGS8 quota_fmt: QFMT_NOT_USED, QFMT_VFS_OLD, QFMT_VFS_V0, QFMT_VFS_V1 | all | all |
| Yes | < | quotactl | ERRNO res, CHARBUF special, CHARBUF quotafilepath, UINT64 dqb_bhardlimit, UINT64 dqb_bsoftlimit, UINT64 dqb_curspace, UINT64 dqb_ihardlimit, UINT64 dqb_isoftlimit, RELTIME dqb_btime, RELTIME dqb_itime, RELTIME dqi_bgrace, RELTIME dqi_igrace, FLAGS8 dqi_flags: DQF_NONE, V1_DQF_RSQUASH, FLAGS8 quota_fmt_out: QFMT_NOT_USED, QFMT_VFS_OLD, QFMT_VFS_V0, QFMT_VFS_V1 | all | all |
| Yes | > | setresuid | UID ruid, UID euid, UID suid | all | all |
| Yes | < | setresuid | ERRNO res | all | all |
| Yes | > | setresgid | GID rgid, GID egid, GID sgid | all | all |
| Yes | < | setresgid | ERRNO res | all | all |
| Yes | > | setuid | UID uid | all | all |
| Yes | < | setuid | ERRNO res | all | all |
| Yes | > | setgid | GID gid | all | all |
| Yes | < | setgid | ERRNO res | all | all |
| Yes | > | getuid | all | all | |
| Yes | < | getuid | UID uid | all | all |
| Yes | > | geteuid | all | all | |
| Yes | < | geteuid | UID euid | all | all |
| Yes | > | getgid | all | all | |
| Yes | < | getgid | GID gid | all | all |
| Yes | > | getegid | all | all | |
| Yes | < | getegid | GID egid | all | all |
| Yes | > | getresuid | all | all | |
| Yes | < | getresuid | ERRNO res, UID ruid, UID euid, UID suid | all | all |
| Yes | > | getresgid | all | all | |
| Yes | < | getresgid | ERRNO res, GID rgid, GID egid, GID sgid | all | all |
| Yes | > | clone | all | all | |
| Yes | < | clone | PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts | all | all |
| Yes | > | fork | all | all | |
| Yes | < | fork | PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts | all | all |
| Yes | > | vfork | all | all | |
| Yes | < | vfork | PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts | all | all |
| Yes | > | getdents | FD fd | all | all |
| Yes | < | getdents | ERRNO res | all | all |
| Yes | > | getdents64 | FD fd | all | all |
| Yes | < | getdents64 | ERRNO res | all | all |
| Yes | > | setns | FD fd, FLAGS32 nstype: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP | all | all |
| Yes | < | setns | ERRNO res | all | all |
| Yes | > | flock | FD fd, FLAGS32 operation: LOCK_SH, LOCK_EX, LOCK_NB, LOCK_UN, LOCK_NONE | all | all |
| Yes | < | flock | ERRNO res | all | all |
| Yes | > | accept | all | all | |
| Yes | < | accept | FD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax | all | all |
| Yes | > | semop | INT32 semid | all | all |
| Yes | < | semop | ERRNO res, UINT32 nsops, UINT16 sem_num_0, INT16 sem_op_0, FLAGS16 sem_flg_0: IPC_NOWAIT, SEM_UNDO, UINT16 sem_num_1, INT16 sem_op_1, FLAGS16 sem_flg_1: IPC_NOWAIT, SEM_UNDO | all | all |
| Yes | > | semctl | INT32 semid, INT32 semnum, FLAGS16 cmd: IPC_STAT, IPC_SET, IPC_RMID, IPC_INFO, SEM_INFO, SEM_STAT, GETALL, GETNCNT, GETPID, GETVAL, GETZCNT, SETALL, SETVAL, INT32 val | all | all |
| Yes | < | semctl | ERRNO res | all | all |
| Yes | > | ppoll | FDLIST fds, RELTIME timeout, SIGSET sigmask | all | all |
| Yes | < | ppoll | ERRNO res, FDLIST fds | all | all |
| Yes | > | mount | FLAGS32 flags: RDONLY, NOSUID, NODEV, NOEXEC, SYNCHRONOUS, REMOUNT, MANDLOCK, DIRSYNC, NOATIME, NODIRATIME, BIND, MOVE, REC, SILENT, POSIXACL, UNBINDABLE, PRIVATE, SLAVE, SHARED, RELATIME, KERNMOUNT, I_VERSION, STRICTATIME, LAZYTIME, NOSEC, BORN, ACTIVE, NOUSER | all | all |
| Yes | < | mount | ERRNO res, CHARBUF dev, FSPATH dir, CHARBUF type | all | all |
| Yes | > | semget | INT32 key, INT32 nsems, FLAGS32 semflg: IPC_EXCL, IPC_CREAT | all | all |
| Yes | < | semget | ERRNO res | all | all |
| Yes | > | access | FLAGS32 mode: F_OK, R_OK, W_OK, X_OK | all | all |
| Yes | < | access | ERRNO res, FSPATH name | all | all |
| Yes | > | chroot | all | all | |
| Yes | < | chroot | ERRNO res, FSPATH path | all | all |
| Yes | > | setsid | all | all | |
| Yes | < | setsid | PID res | all | all |
| Yes | > | mkdir | UINT32 mode | all | all |
| Yes | < | mkdir | ERRNO res, FSPATH path | all | all |
| Yes | > | rmdir | all | all | |
| Yes | < | rmdir | ERRNO res, FSPATH path | all | all |
| Yes | > | unshare | FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP | all | all |
| Yes | < | unshare | ERRNO res | all | all |
| Yes | > | execve | FSPATH filename | all | all |
| Yes | < | execve | ERRNO res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, UINT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, BYTEBUF env, UINT32 tty, PID vpgid, UID loginuid, FLAGS32 flags: EXE_WRITABLE, EXE_UPPER_LAYER, EXE_FROM_MEMFD, EXE_LOWER_LAYER, UINT64 cap_inheritable, UINT64 cap_permitted, UINT64 cap_effective, UINT64 exe_ino, ABSTIME exe_ino_ctime, ABSTIME exe_ino_mtime, UID uid, FSPATH trusted_exepath, PID pgid, GID gid | all | all |
| Yes | > | setpgid | PID pid, PID pgid | all | all |
| Yes | < | setpgid | PID res | all | all |
| Yes | > | seccomp | UINT64 op, UINT64 flags | all | all |
| Yes | < | seccomp | ERRNO res | all | all |
| Yes | > | unlink | all | all | |
| Yes | < | unlink | ERRNO res, FSPATH path | all | all |
| Yes | > | unlinkat | all | all | |
| Yes | < | unlinkat | ERRNO res, FD dirfd, FSRELPATH name, FLAGS32 flags: AT_REMOVEDIR | all | all |
| Yes | > | mkdirat | all | all | |
| Yes | < | mkdirat | ERRNO res, FD dirfd, FSRELPATH path, UINT32 mode | all | all |
| Yes | > | openat | FD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER, UINT32 mode | all | all |
| Yes | < | openat | FD fd, FD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER, UINT32 mode, UINT32 dev, UINT64 ino | all | all |
| Yes | > | link | all | all | |
| Yes | < | link | ERRNO res, FSPATH oldpath, FSPATH newpath | all | all |
| Yes | > | linkat | all | all | |
| Yes | < | linkat | ERRNO res, FD olddir, FSRELPATH oldpath, FD newdir, FSRELPATH newpath, FLAGS32 flags: AT_SYMLINK_FOLLOW, AT_EMPTY_PATH | all | all |
| Yes | > | fchmodat | all | all | |
| Yes | < | fchmodat | ERRNO res, FD dirfd, FSRELPATH filename, MODE mode | all | all |
| Yes | > | chmod | all | all | |
| Yes | < | chmod | ERRNO res, FSPATH filename, MODE mode | all | all |
| Yes | > | fchmod | all | all | |
| Yes | < | fchmod | ERRNO res, FD fd, MODE mode | all | all |
| Yes | > | renameat2 | all | all | |
| Yes | < | renameat2 | ERRNO res, FD olddirfd, FSRELPATH oldpath, FD newdirfd, FSRELPATH newpath, FLAGS32 flags: RENAME_NOREPLACE, RENAME_EXCHANGE, RENAME_WHITEOUT | all | all |
| Yes | > | userfaultfd | all | all | |
| Yes | < | userfaultfd | ERRNO res, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER | all | all |
| Yes | > | openat2 | FD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER, UINT32 mode, FLAGS32 resolve: RESOLVE_BENEATH, RESOLVE_IN_ROOT, RESOLVE_NO_MAGICLINKS, RESOLVE_NO_SYMLINKS, RESOLVE_NO_XDEV, RESOLVE_CACHED | all | all |
| Yes | < | openat2 | FD fd, FD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER, UINT32 mode, FLAGS32 resolve: RESOLVE_BENEATH, RESOLVE_IN_ROOT, RESOLVE_NO_MAGICLINKS, RESOLVE_NO_SYMLINKS, RESOLVE_NO_XDEV, RESOLVE_CACHED, UINT32 dev, UINT64 ino | all | all |
| Yes | > | mprotect | UINT64 addr, UINT64 length, FLAGS32 prot: PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM, PROT_GROWSDOWN, PROT_GROWSUP, PROT_SAO, PROT_NONE | all | all |
| Yes | < | mprotect | ERRNO res | all | all |
| Yes | > | execveat | FD dirfd, FSRELPATH pathname, FLAGS32 flags: AT_EMPTY_PATH, AT_SYMLINK_NOFOLLOW | all | all |
| Yes | < | execveat | ERRNO res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, UINT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, BYTEBUF env, UINT32 tty, PID vpgid, UID loginuid, FLAGS32 flags: EXE_WRITABLE, EXE_UPPER_LAYER, EXE_FROM_MEMFD, EXE_LOWER_LAYER, UINT64 cap_inheritable, UINT64 cap_permitted, UINT64 cap_effective, UINT64 exe_ino, ABSTIME exe_ino_ctime, ABSTIME exe_ino_mtime, UID uid, FSPATH trusted_exepath, PID pgid, GID gid | all | all |
| Yes | > | copy_file_range | FD fdin, UINT64 offin, UINT64 len | all | all |
| Yes | < | copy_file_range | ERRNO res, FD fdout, UINT64 offout | all | all |
| Yes | > | clone3 | all | all | |
| Yes | < | clone3 | PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts | all | all |
| Yes | > | open_by_handle_at | all | all | |
| Yes | < | open_by_handle_at | FD fd, FD mountfd, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER, FSPATH path, UINT32 dev, UINT64 ino | all | all |
| Yes | > | io_uring_setup | all | all | |
| Yes | < | io_uring_setup | ERRNO res, UINT32 entries, UINT32 sq_entries, UINT32 cq_entries, FLAGS32 flags: IORING_SETUP_IOPOLL, IORING_SETUP_SQPOLL, IORING_SQ_NEED_WAKEUP, IORING_SETUP_SQ_AFF, IORING_SETUP_CQSIZE, IORING_SETUP_CLAMP, IORING_SETUP_ATTACH_RW, IORING_SETUP_R_DISABLED, UINT32 sq_thread_cpu, UINT32 sq_thread_idle, FLAGS32 features: IORING_FEAT_SINGLE_MMAP, IORING_FEAT_NODROP, IORING_FEAT_SUBMIT_STABLE, IORING_FEAT_RW_CUR_POS, IORING_FEAT_CUR_PERSONALITY, IORING_FEAT_FAST_POLL, IORING_FEAT_POLL_32BITS, IORING_FEAT_SQPOLL_NONFIXED, IORING_FEAT_ENTER_EXT_ARG, IORING_FEAT_NATIVE_WORKERS, IORING_FEAT_RSRC_TAGS | all | all |
| Yes | > | io_uring_enter | all | all | |
| Yes | < | io_uring_enter | ERRNO res, FD fd, UINT32 to_submit, UINT32 min_complete, FLAGS32 flags: IORING_ENTER_GETEVENTS, IORING_ENTER_SQ_WAKEUP, IORING_ENTER_SQ_WAIT, IORING_ENTER_EXT_ARG, SIGSET sig | all | all |
| Yes | > | io_uring_register | all | all | |
| Yes | < | io_uring_register | ERRNO res, FD fd, ENUMFLAGS16 opcode: IORING_REGISTER_BUFFERS, IORING_UNREGISTER_BUFFERS, IORING_REGISTER_FILES, IORING_UNREGISTER_FILES, IORING_REGISTER_EVENTFD, IORING_UNREGISTER_EVENTFD, IORING_REGISTER_FILES_UPDATE, IORING_REGISTER_EVENTFD_ASYNC, IORING_REGISTER_PROBE, IORING_REGISTER_PERSONALITY, IORING_UNREGISTER_PERSONALITY, IORING_REGISTER_RESTRICTIONS, IORING_REGISTER_ENABLE_RINGS, IORING_REGISTER_FILES2, IORING_REGISTER_FILES_UPDATE2, IORING_REGISTER_BUFFERS2, IORING_REGISTER_BUFFERS_UPDATE, IORING_REGISTER_IOWQ_AFF, IORING_UNREGISTER_IOWQ_AFF, IORING_REGISTER_IOWQ_MAX_WORKERS, IORING_REGISTER_RING_FDS, IORING_UNREGISTER_RING_FDS, UINT64 arg, UINT32 nr_args | all | all |
| Yes | > | mlock | all | all | |
| Yes | < | mlock | ERRNO res, UINT64 addr, UINT64 len | all | all |
| Yes | > | munlock | all | all | |
| Yes | < | munlock | ERRNO res, UINT64 addr, UINT64 len | all | all |
| Yes | > | mlockall | all | all | |
| Yes | < | mlockall | ERRNO res, FLAGS32 flags: MCL_CURRENT, MCL_FUTURE, MCL_ONFAULT | all | all |
| Yes | > | munlockall | all | all | |
| Yes | < | munlockall | ERRNO res | all | all |
| Yes | > | capset | all | all | |
| Yes | < | capset | ERRNO res, UINT64 cap_inheritable, UINT64 cap_permitted, UINT64 cap_effective | all | all |
| Yes | > | dup2 | FD fd | all | all |
| Yes | < | dup2 | FD res, FD oldfd, FD newfd | all | all |
| Yes | > | dup3 | FD fd | all | all |
| Yes | < | dup3 | FD res, FD oldfd, FD newfd, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER | all | all |
| Yes | > | dup | FD fd | all | all |
| Yes | < | dup | FD res, FD oldfd | all | all |
| Yes | > | bpf | INT64 cmd | all | all |
| Yes | < | bpf | FD fd, ENUMFLAGS32 cmd: BPF_MAP_CREATE, BPF_MAP_LOOKUP_ELEM, BPF_MAP_UPDATE_ELEM, BPF_MAP_DELETE_ELEM, BPF_MAP_GET_NEXT_KEY, BPF_PROG_LOAD, BPF_OBJ_PIN, BPF_OBJ_GET, BPF_PROG_ATTACH, BPF_PROG_DETACH, BPF_PROG_TEST_RUN, BPF_PROG_RUN, BPF_PROG_GET_NEXT_ID, BPF_MAP_GET_NEXT_ID, BPF_PROG_GET_FD_BY_ID, BPF_MAP_GET_FD_BY_ID, BPF_OBJ_GET_INFO_BY_FD, BPF_PROG_QUERY, BPF_RAW_TRACEPOINT_OPEN, BPF_BTF_LOAD, BPF_BTF_GET_FD_BY_ID, BPF_TASK_FD_QUERY, BPF_MAP_LOOKUP_AND_DELETE_ELEM, BPF_MAP_FREEZE, BPF_BTF_GET_NEXT_ID, BPF_MAP_LOOKUP_BATCH, BPF_MAP_LOOKUP_AND_DELETE_BATCH, BPF_MAP_UPDATE_BATCH, BPF_MAP_DELETE_BATCH, BPF_LINK_CREATE, BPF_LINK_UPDATE, BPF_LINK_GET_FD_BY_ID, BPF_LINK_GET_NEXT_ID, BPF_ENABLE_STATS, BPF_ITER_CREATE, BPF_LINK_DETACH, BPF_PROG_BIND_MAP | all | all |
| Yes | > | mlock2 | all | all | |
| Yes | < | mlock2 | ERRNO res, UINT64 addr, UINT64 len, FLAGS32 flags: MLOCK_ONFAULT | all | all |
| Yes | > | fsconfig | all | all | |
| Yes | < | fsconfig | ERRNO res, FD fd, ENUMFLAGS32 cmd: FSCONFIG_SET_FLAG, FSCONFIG_SET_STRING, FSCONFIG_SET_BINARY, FSCONFIG_SET_PATH, FSCONFIG_SET_PATH_EMPTY, FSCONFIG_SET_FD, FSCONFIG_CMD_CREATE, FSCONFIG_CMD_RECONFIGURE, CHARBUF key, BYTEBUF value_bytebuf, CHARBUF value_charbuf, INT32 aux | all | all |
| Yes | > | epoll_create | INT32 size | all | all |
| Yes | < | epoll_create | ERRNO res | all | all |
| Yes | > | epoll_create1 | FLAGS32 flags: EPOLL_CLOEXEC | all | all |
| Yes | < | epoll_create1 | ERRNO res | all | all |
| Yes | > | chown | all | all | |
| Yes | < | chown | ERRNO res, FSPATH path, UINT32 uid, UINT32 gid | all | all |
| Yes | > | lchown | all | all | |
| Yes | < | lchown | ERRNO res, FSPATH path, UINT32 uid, UINT32 gid | all | all |
| Yes | > | fchown | all | all | |
| Yes | < | fchown | ERRNO res, FD fd, UINT32 uid, UINT32 gid | all | all |
| Yes | > | fchownat | all | all | |
| Yes | < | fchownat | ERRNO res, FD dirfd, FSRELPATH pathname, UINT32 uid, UINT32 gid, FLAGS32 flags: AT_SYMLINK_NOFOLLOW, AT_EMPTY_PATH | all | all |
| Yes | > | umount | all | all | |
| Yes | < | umount | ERRNO res, FSPATH name | all | all |
| Yes | > | accept4 | INT32 flags | all | all |
| Yes | < | accept4 | FD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax | all | all |
| Yes | > | umount2 | FLAGS32 flags: FORCE, DETACH, EXPIRE, NOFOLLOW | all | all |
| Yes | < | umount2 | ERRNO res, FSPATH name | all | all |
| Yes | > | pipe2 | all | all | |
| Yes | < | pipe2 | ERRNO res, FD fd1, FD fd2, UINT64 ino, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER | all | all |
| Yes | > | inotify_init1 | all | all | |
| Yes | < | inotify_init1 | FD res, FLAGS16 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER | all | all |
| Yes | > | eventfd2 | UINT64 initval | all | all |
| Yes | < | eventfd2 | FD res, FLAGS16 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER | all | all |
| Yes | > | signalfd4 | FD fd, UINT32 mask | all | all |
| Yes | < | signalfd4 | FD res, FLAGS16 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, O_F_CREATED, FD_UPPER_LAYER, FD_LOWER_LAYER | all | all |
| Yes | > | prctl | all | all | |
| Yes | < | prctl | ERRNO res, ENUMFLAGS32 option: PR_GET_DUMPABLE, PR_SET_DUMPABLE, PR_GET_KEEPCAPS, PR_SET_KEEPCAPS, PR_SET_NAME, PR_GET_NAME, PR_GET_SECCOMP, PR_SET_SECCOMP, PR_CAPBSET_READ, PR_CAPBSET_DROP, PR_GET_SECUREBITS, PR_SET_SECUREBITS, PR_MCE_KILL, PR_MCE_KILL, PR_SET_MM, PR_SET_CHILD_SUBREAPER, PR_GET_CHILD_SUBREAPER, PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS, PR_GET_TID_ADDRESS, PR_SET_THP_DISABLE, PR_GET_THP_DISABLE, PR_CAP_AMBIENT, CHARBUF arg2_str, INT64 arg2_int | all | all |
| Yes | > | memfd_create | all | all | |
| Yes | < | memfd_create | FD fd, CHARBUF name, FLAGS32 flags: MFD_CLOEXEC, MFD_ALLOW_SEALING, MFD_HUGETLB | all | all |
| Yes | > | pidfd_getfd | all | all | |
| Yes | < | pidfd_getfd | FD fd, FD pid_fd, FD target_fd, UINT32 flags | all | all |
| Yes | > | pidfd_open | all | all | |
| Yes | < | pidfd_open | FD fd, PID pid, FLAGS32 flags: PIDFD_NONBLOCK | all | all |
| Yes | > | init_module | all | all | |
| Yes | < | init_module | ERRNO res, BYTEBUF img, UINT64 length, CHARBUF uargs | all | all |
| Yes | > | finit_module | all | all | |
| Yes | < | finit_module | ERRNO res, FD fd, CHARBUF uargs, FLAGS32 flags: MODULE_INIT_IGNORE_MODVERSIONS, MODULE_INIT_IGNORE_VERMAGIC, MODULE_INIT_COMPRESSED_FILE | all | all |
| Yes | > | mknod | all | all | |
| Yes | < | mknod | ERRNO res, FSPATH path, MODE mode, UINT32 dev | all | all |
| Yes | > | mknodat | all | all | |
| Yes | < | mknodat | ERRNO res, FD dirfd, FSRELPATH path, MODE mode, UINT32 dev | all | all |
| Yes | > | newfstatat | all | all | |
| Yes | < | newfstatat | ERRNO res, FD dirfd, FSRELPATH path, FLAGS32 flags: AT_EMPTY_PATH, AT_NO_AUTOMOUNT, AT_SYMLINK_NOFOLLOW | all | all |
| Yes | > | process_vm_readv | all | all | |
| Yes | < | process_vm_readv | INT64 res, PID pid, BYTEBUF data | all | all |
| Yes | > | process_vm_writev | all | all | |
| Yes | < | process_vm_writev | INT64 res, PID pid, BYTEBUF data | all | all |
| Yes | > | delete_module | all | all | |
| Yes | < | delete_module | ERRNO res, CHARBUF name, FLAGS32 flags: O_NONBLOCK, O_TRUNC | all | all |
| Yes | > | setreuid | all | all | |
| Yes | < | setreuid | ERRNO res, UID ruid, UID euid | all | all |
| Yes | > | setregid | all | all | |
| Yes | < | setregid | ERRNO res, UID rgid, UID egid | all | all |
| Yes | > | open_tree_attr | SYSCALLID ID, UINT16 nativeID | 14.3.0 and above | 6.2.0 and above |
| Yes | < | open_tree_attr | SYSCALLID ID | 14.3.0 and above | 6.2.0 and above |
| Yes | > | setxattrat | SYSCALLID ID, UINT16 nativeID | 13.8.0 and above | 5.4.0 and above |
| Yes | < | setxattrat | SYSCALLID ID | 13.8.0 and above | 5.4.0 and above |
| Yes | > | uretprobe | SYSCALLID ID, UINT16 nativeID | 13.5.0 and above | all |
| Yes | < | uretprobe | SYSCALLID ID | 13.5.0 and above | all |
| Yes | > | lsm_list_modules | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | lsm_list_modules | SYSCALLID ID | all | all |
| Yes | > | lsm_get_self_attr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | lsm_get_self_attr | SYSCALLID ID | all | all |
| Yes | > | statmount | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | statmount | SYSCALLID ID | all | all |
| Yes | > | listmount | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | listmount | SYSCALLID ID | all | all |
| Yes | > | capget | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | capget | SYSCALLID ID | all | all |
| Yes | > | inotify_rm_watch | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | inotify_rm_watch | SYSCALLID ID | all | all |
| Yes | > | clock_getres | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | clock_getres | SYSCALLID ID | all | all |
| Yes | > | kexec_load | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | kexec_load | SYSCALLID ID | all | all |
| Yes | > | mq_notify | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mq_notify | SYSCALLID ID | all | all |
| Yes | > | utimes | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | utimes | SYSCALLID ID | all | all |
| Yes | > | set_robust_list | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | set_robust_list | SYSCALLID ID | all | all |
| Yes | > | shmget | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | shmget | SYSCALLID ID | all | all |
| Yes | > | fspick | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fspick | SYSCALLID ID | all | all |
| Yes | > | timer_delete | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timer_delete | SYSCALLID ID | all | all |
| Yes | > | sethostname | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sethostname | SYSCALLID ID | all | all |
| Yes | > | exit_group | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | exit_group | SYSCALLID ID | all | all |
| Yes | > | fsmount | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fsmount | SYSCALLID ID | all | all |
| Yes | > | clock_gettime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | clock_gettime | SYSCALLID ID | all | all |
| Yes | > | listxattrat | SYSCALLID ID, UINT16 nativeID | 13.8.0 and above | 5.4.0 and above |
| Yes | < | listxattrat | SYSCALLID ID | 13.8.0 and above | 5.4.0 and above |
| Yes | > | timerfd_gettime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timerfd_gettime | SYSCALLID ID | all | all |
| Yes | > | timer_getoverrun | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timer_getoverrun | SYSCALLID ID | all | all |
| Yes | > | s390_pci_mmio_write | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | s390_pci_mmio_write | SYSCALLID ID | all | all |
| Yes | > | io_setup | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | io_setup | SYSCALLID ID | all | all |
| Yes | > | inotify_add_watch | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | inotify_add_watch | SYSCALLID ID | all | all |
| Yes | > | pidfd_send_signal | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pidfd_send_signal | SYSCALLID ID | all | all |
| Yes | > | epoll_ctl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | epoll_ctl | SYSCALLID ID | all | all |
| Yes | > | get_thread_area | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | get_thread_area | SYSCALLID ID | all | all |
| Yes | > | switch_endian | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | switch_endian | SYSCALLID ID | all | all |
| Yes | > | setitimer | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | setitimer | SYSCALLID ID | all | all |
| Yes | > | io_submit | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | io_submit | SYSCALLID ID | all | all |
| Yes | > | sched_setaffinity | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_setaffinity | SYSCALLID ID | all | all |
| Yes | > | request_key | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | request_key | SYSCALLID ID | all | all |
| Yes | > | fanotify_init | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fanotify_init | SYSCALLID ID | all | all |
| Yes | > | fsopen | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fsopen | SYSCALLID ID | all | all |
| Yes | > | sched_setattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_setattr | SYSCALLID ID | all | all |
| Yes | > | sched_getaffinity | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_getaffinity | SYSCALLID ID | all | all |
| Yes | > | rt_sigqueueinfo | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_sigqueueinfo | SYSCALLID ID | all | all |
| Yes | > | utimensat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | utimensat | SYSCALLID ID | all | all |
| Yes | > | fremovexattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fremovexattr | SYSCALLID ID | all | all |
| Yes | > | getgroups | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getgroups | SYSCALLID ID | all | all |
| Yes | > | removexattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | removexattr | SYSCALLID ID | all | all |
| Yes | > | llistxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | llistxattr | SYSCALLID ID | all | all |
| Yes | > | waitid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | waitid | SYSCALLID ID | all | all |
| Yes | > | arch_prctl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | arch_prctl | SYSCALLID ID | all | all |
| Yes | > | sigaction | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sigaction | SYSCALLID ID | all | all |
| Yes | > | mq_timedsend | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mq_timedsend | SYSCALLID ID | all | all |
| Yes | > | setxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | setxattr | SYSCALLID ID | all | all |
| Yes | > | shmdt | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | shmdt | SYSCALLID ID | all | all |
| Yes | > | sigpending | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sigpending | SYSCALLID ID | all | all |
| Yes | > | fgetxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fgetxattr | SYSCALLID ID | all | all |
| Yes | > | lgetxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | lgetxattr | SYSCALLID ID | all | all |
| Yes | > | fsync | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fsync | SYSCALLID ID | all | all |
| Yes | > | spu_create | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | spu_create | SYSCALLID ID | all | all |
| Yes | > | fsetxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fsetxattr | SYSCALLID ID | all | all |
| Yes | > | lsetxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | lsetxattr | SYSCALLID ID | all | all |
| Yes | > | idle | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | idle | SYSCALLID ID | all | all |
| Yes | > | shmat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | shmat | SYSCALLID ID | all | all |
| Yes | > | adjtimex | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | adjtimex | SYSCALLID ID | all | all |
| Yes | > | query_module | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | query_module | SYSCALLID ID | all | all |
| Yes | > | timer_create | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timer_create | SYSCALLID ID | all | all |
| Yes | > | gettid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | gettid | SYSCALLID ID | all | all |
| Yes | > | membarrier | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | membarrier | SYSCALLID ID | all | all |
| Yes | > | add_key | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | add_key | SYSCALLID ID | all | all |
| Yes | > | swapoff | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | swapoff | SYSCALLID ID | all | all |
| Yes | > | madvise | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | madvise | SYSCALLID ID | all | all |
| Yes | > | s390_pci_mmio_read | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | s390_pci_mmio_read | SYSCALLID ID | all | all |
| Yes | > | setfsgid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | setfsgid | SYSCALLID ID | all | all |
| Yes | > | setfsuid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | setfsuid | SYSCALLID ID | all | all |
| Yes | > | getpgrp | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getpgrp | SYSCALLID ID | all | all |
| Yes | > | personality | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | personality | SYSCALLID ID | all | all |
| Yes | > | getxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getxattr | SYSCALLID ID | all | all |
| Yes | > | move_mount | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | move_mount | SYSCALLID ID | all | all |
| Yes | > | get_mempolicy | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | get_mempolicy | SYSCALLID ID | all | all |
| Yes | > | getpriority | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getpriority | SYSCALLID ID | all | all |
| Yes | > | removexattrat | SYSCALLID ID, UINT16 nativeID | 13.8.0 and above | 5.4.0 and above |
| Yes | < | removexattrat | SYSCALLID ID | 13.8.0 and above | 5.4.0 and above |
| Yes | > | readlinkat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | readlinkat | SYSCALLID ID | all | all |
| Yes | > | mount_setattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mount_setattr | SYSCALLID ID | all | all |
| Yes | > | clock_settime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | clock_settime | SYSCALLID ID | all | all |
| Yes | > | umask | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | umask | SYSCALLID ID | all | all |
| Yes | > | lookup_dcookie | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | lookup_dcookie | SYSCALLID ID | all | all |
| Yes | > | quotactl_fd | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | quotactl_fd | SYSCALLID ID | all | all |
| Yes | > | timer_settime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timer_settime | SYSCALLID ID | all | all |
| Yes | > | truncate | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | truncate | SYSCALLID ID | all | all |
| Yes | > | mremap | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mremap | SYSCALLID ID | all | all |
| Yes | > | rtas | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rtas | SYSCALLID ID | all | all |
| Yes | > | lsm_set_self_attr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | lsm_set_self_attr | SYSCALLID ID | all | all |
| Yes | > | syslog | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | syslog | SYSCALLID ID | all | all |
| Yes | > | fstatfs | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fstatfs | SYSCALLID ID | all | all |
| Yes | > | ioperm | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | ioperm | SYSCALLID ID | all | all |
| Yes | > | riscv_flush_icache | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | riscv_flush_icache | SYSCALLID ID | all | all |
| Yes | > | keyctl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | keyctl | SYSCALLID ID | all | all |
| Yes | > | uselib | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | uselib | SYSCALLID ID | all | all |
| Yes | > | reboot | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | reboot | SYSCALLID ID | all | all |
| Yes | > | futimesat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | futimesat | SYSCALLID ID | all | all |
| Yes | > | timer_gettime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timer_gettime | SYSCALLID ID | all | all |
| Yes | > | flistxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | flistxattr | SYSCALLID ID | all | all |
| Yes | > | setgroups | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | setgroups | SYSCALLID ID | all | all |
| Yes | > | sched_rr_get_interval | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_rr_get_interval | SYSCALLID ID | all | all |
| Yes | > | gettimeofday | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | gettimeofday | SYSCALLID ID | all | all |
| Yes | > | readlink | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | readlink | SYSCALLID ID | all | all |
| Yes | > | syncfs | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | syncfs | SYSCALLID ID | all | all |
| Yes | > | get_robust_list | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | get_robust_list | SYSCALLID ID | all | all |
| Yes | > | listxattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | listxattr | SYSCALLID ID | all | all |
| Yes | > | set_mempolicy | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | set_mempolicy | SYSCALLID ID | all | all |
| Yes | > | s390_guarded_storage | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | s390_guarded_storage | SYSCALLID ID | all | all |
| Yes | > | settimeofday | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | settimeofday | SYSCALLID ID | all | all |
| Yes | > | mq_unlink | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mq_unlink | SYSCALLID ID | all | all |
| Yes | > | swapon | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | swapon | SYSCALLID ID | all | all |
| Yes | > | pselect6 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pselect6 | SYSCALLID ID | all | all |
| Yes | > | io_cancel | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | io_cancel | SYSCALLID ID | all | all |
| Yes | > | ioprio_get | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | ioprio_get | SYSCALLID ID | all | all |
| Yes | > | uname | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | uname | SYSCALLID ID | all | all |
| Yes | > | shmctl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | shmctl | SYSCALLID ID | all | all |
| Yes | > | time | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | time | SYSCALLID ID | all | all |
| Yes | > | pkey_free | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pkey_free | SYSCALLID ID | all | all |
| Yes | > | readahead | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | readahead | SYSCALLID ID | all | all |
| Yes | > | statfs | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | statfs | SYSCALLID ID | all | all |
| Yes | > | fanotify_mark | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fanotify_mark | SYSCALLID ID | all | all |
| Yes | > | ioprio_set | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | ioprio_set | SYSCALLID ID | all | all |
| Yes | > | times | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | times | SYSCALLID ID | all | all |
| Yes | > | process_madvise | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | process_madvise | SYSCALLID ID | all | all |
| Yes | > | vmsplice | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | vmsplice | SYSCALLID ID | all | all |
| Yes | > | rt_sigtimedwait | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_sigtimedwait | SYSCALLID ID | all | all |
| Yes | > | preadv2 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | preadv2 | SYSCALLID ID | all | all |
| Yes | > | create_module | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | create_module | SYSCALLID ID | all | all |
| Yes | > | remap_file_pages | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | remap_file_pages | SYSCALLID ID | all | all |
| Yes | > | lremovexattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | lremovexattr | SYSCALLID ID | all | all |
| Yes | > | landlock_create_ruleset | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | landlock_create_ruleset | SYSCALLID ID | all | all |
| Yes | > | timerfd | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timerfd | SYSCALLID ID | all | all |
| Yes | > | pause | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pause | SYSCALLID ID | all | all |
| Yes | > | stime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | stime | SYSCALLID ID | all | all |
| Yes | > | sched_setparam | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_setparam | SYSCALLID ID | all | all |
| Yes | > | name_to_handle_at | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | name_to_handle_at | SYSCALLID ID | all | all |
| Yes | > | utime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | utime | SYSCALLID ID | all | all |
| Yes | > | getpid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getpid | SYSCALLID ID | all | all |
| Yes | > | sync | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sync | SYSCALLID ID | all | all |
| Yes | > | getxattrat | SYSCALLID ID, UINT16 nativeID | 13.8.0 and above | 5.4.0 and above |
| Yes | < | getxattrat | SYSCALLID ID | 13.8.0 and above | 5.4.0 and above |
| Yes | > | clock_adjtime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | clock_adjtime | SYSCALLID ID | all | all |
| Yes | > | restart_syscall | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | restart_syscall | SYSCALLID ID | all | all |
| Yes | > | io_getevents | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | io_getevents | SYSCALLID ID | all | all |
| Yes | > | sysfs | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sysfs | SYSCALLID ID | all | all |
| Yes | > | get_kernel_syms | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | get_kernel_syms | SYSCALLID ID | all | all |
| Yes | > | epoll_pwait | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | epoll_pwait | SYSCALLID ID | all | all |
| Yes | > | futex_wait | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | futex_wait | SYSCALLID ID | all | all |
| Yes | > | acct | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | acct | SYSCALLID ID | all | all |
| Yes | > | setdomainname | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | setdomainname | SYSCALLID ID | all | all |
| Yes | > | sysinfo | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sysinfo | SYSCALLID ID | all | all |
| Yes | > | msgsnd | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | msgsnd | SYSCALLID ID | all | all |
| Yes | > | mincore | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mincore | SYSCALLID ID | all | all |
| Yes | > | cachestat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | cachestat | SYSCALLID ID | all | all |
| Yes | > | pivot_root | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pivot_root | SYSCALLID ID | all | all |
| Yes | > | exit | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | exit | SYSCALLID ID | all | all |
| Yes | > | getppid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getppid | SYSCALLID ID | all | all |
| Yes | > | io_destroy | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | io_destroy | SYSCALLID ID | all | all |
| Yes | > | ustat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | ustat | SYSCALLID ID | all | all |
| Yes | > | epoll_wait_old | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | epoll_wait_old | SYSCALLID ID | all | all |
| Yes | > | vhangup | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | vhangup | SYSCALLID ID | all | all |
| Yes | > | _sysctl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | _sysctl | SYSCALLID ID | all | all |
| Yes | > | alarm | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | alarm | SYSCALLID ID | all | all |
| Yes | > | rt_sigprocmask | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_sigprocmask | SYSCALLID ID | all | all |
| Yes | > | rt_tgsigqueueinfo | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_tgsigqueueinfo | SYSCALLID ID | all | all |
| Yes | > | rt_sigaction | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_sigaction | SYSCALLID ID | all | all |
| Yes | > | fchmodat2 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fchmodat2 | SYSCALLID ID | all | all |
| Yes | > | wait4 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | wait4 | SYSCALLID ID | all | all |
| Yes | > | getpgid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getpgid | SYSCALLID ID | all | all |
| Yes | > | sched_yield | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_yield | SYSCALLID ID | all | all |
| Yes | > | signal | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | signal | SYSCALLID ID | all | all |
| Yes | > | clock_nanosleep | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | clock_nanosleep | SYSCALLID ID | all | all |
| Yes | > | pkey_mprotect | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pkey_mprotect | SYSCALLID ID | all | all |
| Yes | > | fdatasync | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fdatasync | SYSCALLID ID | all | all |
| Yes | > | getrusage | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getrusage | SYSCALLID ID | all | all |
| Yes | > | futex_wake | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | futex_wake | SYSCALLID ID | all | all |
| Yes | > | sched_getparam | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_getparam | SYSCALLID ID | all | all |
| Yes | > | sched_setscheduler | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_setscheduler | SYSCALLID ID | all | all |
| Yes | > | setpriority | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | setpriority | SYSCALLID ID | all | all |
| Yes | > | mseal | SYSCALLID ID, UINT16 nativeID | 13.4.0 and above | all |
| Yes | < | mseal | SYSCALLID ID | 13.4.0 and above | all |
| Yes | > | open_tree | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | open_tree | SYSCALLID ID | all | all |
| Yes | > | kcmp | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | kcmp | SYSCALLID ID | all | all |
| Yes | > | sched_getscheduler | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_getscheduler | SYSCALLID ID | all | all |
| Yes | > | sched_get_priority_min | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_get_priority_min | SYSCALLID ID | all | all |
| Yes | > | rt_sigsuspend | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_sigsuspend | SYSCALLID ID | all | all |
| Yes | > | rt_sigpending | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_sigpending | SYSCALLID ID | all | all |
| Yes | > | semtimedop | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | semtimedop | SYSCALLID ID | all | all |
| Yes | > | getitimer | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getitimer | SYSCALLID ID | all | all |
| Yes | > | timerfd_settime | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | timerfd_settime | SYSCALLID ID | all | all |
| Yes | > | sync_file_range2 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sync_file_range2 | SYSCALLID ID | all | all |
| Yes | > | ipc | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | ipc | SYSCALLID ID | all | all |
| Yes | > | mq_open | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mq_open | SYSCALLID ID | all | all |
| Yes | > | getcpu | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getcpu | SYSCALLID ID | all | all |
| Yes | > | epoll_pwait2 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | epoll_pwait2 | SYSCALLID ID | all | all |
| Yes | > | perf_event_open | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | perf_event_open | SYSCALLID ID | all | all |
| Yes | > | msgrcv | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | msgrcv | SYSCALLID ID | all | all |
| Yes | > | process_mrelease | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | process_mrelease | SYSCALLID ID | all | all |
| Yes | > | bdflush | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | bdflush | SYSCALLID ID | all | all |
| Yes | > | msgctl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | msgctl | SYSCALLID ID | all | all |
| Yes | > | statfs64 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | statfs64 | SYSCALLID ID | all | all |
| Yes | > | fstatfs64 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fstatfs64 | SYSCALLID ID | all | all |
| Yes | > | fstatat64 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fstatat64 | SYSCALLID ID | all | all |
| Yes | > | sigprocmask | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sigprocmask | SYSCALLID ID | all | all |
| Yes | > | socketcall | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | socketcall | SYSCALLID ID | all | all |
| Yes | > | sys_debug_setcontext | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sys_debug_setcontext | SYSCALLID ID | all | all |
| Yes | > | set_tid_address | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | set_tid_address | SYSCALLID ID | all | all |
| Yes | > | _newselect | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | _newselect | SYSCALLID ID | all | all |
| Yes | > | map_shadow_stack | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | map_shadow_stack | SYSCALLID ID | all | all |
| Yes | > | sgetmask | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sgetmask | SYSCALLID ID | all | all |
| Yes | > | olduname | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | olduname | SYSCALLID ID | all | all |
| Yes | > | mq_getsetattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mq_getsetattr | SYSCALLID ID | all | all |
| Yes | > | nice | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | nice | SYSCALLID ID | all | all |
| Yes | > | tee | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | tee | SYSCALLID ID | all | all |
| Yes | > | waitpid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | waitpid | SYSCALLID ID | all | all |
| Yes | > | fallocate | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fallocate | SYSCALLID ID | all | all |
| Yes | > | sigaltstack | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sigaltstack | SYSCALLID ID | all | all |
| Yes | > | getrandom | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getrandom | SYSCALLID ID | all | all |
| Yes | > | fadvise64 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | fadvise64 | SYSCALLID ID | all | all |
| Yes | > | memfd_secret | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | memfd_secret | SYSCALLID ID | all | all |
| Yes | > | kexec_file_load | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | kexec_file_load | SYSCALLID ID | all | all |
| Yes | > | close_range | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | close_range | SYSCALLID ID | all | all |
| Yes | > | pkey_alloc | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pkey_alloc | SYSCALLID ID | all | all |
| Yes | > | msgget | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | msgget | SYSCALLID ID | all | all |
| Yes | > | landlock_restrict_self | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | landlock_restrict_self | SYSCALLID ID | all | all |
| Yes | > | mq_timedreceive | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mq_timedreceive | SYSCALLID ID | all | all |
| Yes | > | landlock_add_rule | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | landlock_add_rule | SYSCALLID ID | all | all |
| Yes | > | msync | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | msync | SYSCALLID ID | all | all |
| Yes | > | modify_ldt | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | modify_ldt | SYSCALLID ID | all | all |
| Yes | > | migrate_pages | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | migrate_pages | SYSCALLID ID | all | all |
| Yes | > | futex_waitv | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | futex_waitv | SYSCALLID ID | all | all |
| Yes | > | move_pages | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | move_pages | SYSCALLID ID | all | all |
| Yes | > | mbind | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | mbind | SYSCALLID ID | all | all |
| Yes | > | epoll_ctl_old | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | epoll_ctl_old | SYSCALLID ID | all | all |
| Yes | > | statx | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | statx | SYSCALLID ID | all | all |
| Yes | > | io_pgetevents | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | io_pgetevents | SYSCALLID ID | all | all |
| Yes | > | set_mempolicy_home_node | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | set_mempolicy_home_node | SYSCALLID ID | all | all |
| Yes | > | getpmsg | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getpmsg | SYSCALLID ID | all | all |
| Yes | > | sigsuspend | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sigsuspend | SYSCALLID ID | all | all |
| Yes | > | nfsservctl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | nfsservctl | SYSCALLID ID | all | all |
| Yes | > | rseq | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rseq | SYSCALLID ID | all | all |
| Yes | > | pciconfig_read | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pciconfig_read | SYSCALLID ID | all | all |
| Yes | > | sched_getattr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_getattr | SYSCALLID ID | all | all |
| Yes | > | faccessat2 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | faccessat2 | SYSCALLID ID | all | all |
| Yes | > | sync_file_range | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sync_file_range | SYSCALLID ID | all | all |
| Yes | > | readdir | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | readdir | SYSCALLID ID | all | all |
| Yes | > | s390_sthyi | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | s390_sthyi | SYSCALLID ID | all | all |
| Yes | > | s390_runtime_instr | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | s390_runtime_instr | SYSCALLID ID | all | all |
| Yes | > | sigreturn | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sigreturn | SYSCALLID ID | all | all |
| Yes | > | ftruncate | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | ftruncate | SYSCALLID ID | all | all |
| Yes | > | riscv_hwprobe | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | riscv_hwprobe | SYSCALLID ID | all | all |
| Yes | > | pwritev2 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pwritev2 | SYSCALLID ID | all | all |
| Yes | > | futex_requeue | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | futex_requeue | SYSCALLID ID | all | all |
| Yes | > | oldstat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | oldstat | SYSCALLID ID | all | all |
| Yes | > | multiplexer | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | multiplexer | SYSCALLID ID | all | all |
| Yes | > | oldlstat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | oldlstat | SYSCALLID ID | all | all |
| Yes | > | oldfstat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | oldfstat | SYSCALLID ID | all | all |
| Yes | > | ssetmask | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | ssetmask | SYSCALLID ID | all | all |
| Yes | > | spu_run | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | spu_run | SYSCALLID ID | all | all |
| Yes | > | iopl | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | iopl | SYSCALLID ID | all | all |
| Yes | > | getsid | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | getsid | SYSCALLID ID | all | all |
| Yes | > | swapcontext | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | swapcontext | SYSCALLID ID | all | all |
| Yes | > | pciconfig_write | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pciconfig_write | SYSCALLID ID | all | all |
| Yes | > | vm86 | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | vm86 | SYSCALLID ID | all | all |
| Yes | > | sched_get_priority_max | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | sched_get_priority_max | SYSCALLID ID | all | all |
| Yes | > | oldolduname | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | oldolduname | SYSCALLID ID | all | all |
| Yes | > | faccessat | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | faccessat | SYSCALLID ID | all | all |
| Yes | > | set_thread_area | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | set_thread_area | SYSCALLID ID | all | all |
| Yes | > | subpage_prot | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | subpage_prot | SYSCALLID ID | all | all |
| Yes | > | rt_sigreturn | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | rt_sigreturn | SYSCALLID ID | all | all |
| Yes | > | pciconfig_iobase | SYSCALLID ID, UINT16 nativeID | all | all |
| Yes | < | pciconfig_iobase | SYSCALLID ID | all | all |
Tracepoint events
| Default | Dir | Name | Params | Linux versions | Serverless versions |
|---|---|---|---|---|---|
| Yes | > | switch | PID next, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap | all | all |
| Yes | > | procexit | ERRNO status, ERRNO ret, SIGTYPE sig, UINT8 core, PID reaper_tid | all | all |
| Yes | > | signaldeliver | PID spid, PID dpid, SIGTYPE sig | all | all |
| Yes | > | page_fault | UINT64 addr, UINT64 ip, FLAGS32 error: PROTECTION_VIOLATION, PAGE_NOT_PRESENT, WRITE_ACCESS, READ_ACCESS, USER_FAULT, SUPERVISOR_FAULT, RESERVED_PAGE, INSTRUCTION_FETCH | all | all |
