Scopes¶
Scope defines the workload a policy will be observing. The supported scopes are:
global¶
Events are collected from the whole host:
scope:
- global
uid¶
Events are collected from the specific user id:
scope:
- uid=0
pid¶
Events are collected from the specific pid:
scope:
- pid=1000
mntns¶
Events are collected from the mount namespace:
scope:
- mntns=4026531840
pidns¶
Events are collected from the pid namespace:
scope:
- pidns=4026531836
uts¶
Events are collected from uts namespace:
scope:
- uts=ab356bc4dd554
comm¶
Events are collected from process named uname:
scope:
- comm=uname
container¶
Events are collected only from containers:
scope:
- container
!container¶
Events are collected from everything but containers:
scope:
- !container
tree¶
Events are collected from process tree:
scope:
- tree=1000
binary, bin¶
Events are collected from binary:
scope:
- binary=/usr/bin/dig
follow¶
Events collected follow process children:
scope:
- follow