- name: T0
owner uid: ${uid}
condition: event rule matches
- rule: open (type: syscall:entry+exit)
+ rule: open (type: kernel:syscall:entry+exit)
actions:
notify
errors: none
- name: T1
owner uid: ${uid}
condition: event rule matches
- rule: open (type: syscall:entry)
+ rule: open (type: kernel:syscall:entry)
actions:
notify
errors: none
- name: T2
owner uid: ${uid}
condition: event rule matches
- rule: open (type: syscall:exit)
+ rule: open (type: kernel:syscall:exit)
actions:
notify
errors: none
- name: T3
owner uid: ${uid}
condition: event rule matches
- rule: open (type: syscall:entry+exit)
+ rule: open (type: kernel:syscall:entry+exit)
actions:
notify
errors: none
- name: T4
owner uid: ${uid}
condition: event rule matches
- rule: ptrace (type: syscall:entry+exit, filter: a > 2)
+ rule: ptrace (type: kernel:syscall:entry+exit, filter: a > 2)
actions:
notify
errors: none