Skip to content

Scopes

Scope defines the workload a policy will be observing. The supported scopes are:

global

Events are collected from the whole host:

scope:
    - global

uid

Events are collected from the specific user id:

scope:
    - uid=0

pid

Events are collected from the specific pid:

scope:
    - pid=1000

mntns

Events are collected from the mount namespace:

scope:
    - mntns=4026531840

pidns

Events are collected from the pid namespace:

scope:
    - pidns=4026531836

uts

Events are collected from uts namespace:

scope:
    - uts=ab356bc4dd554

comm

Events are collected from process named uname:

scope:
    - comm=uname

container

Events are collected only from containers:

scope:
    - container

!container

Events are collected from everything but containers:

scope:
    - !container

tree

Events are collected from process tree:

scope:
    - tree=1000

binary, bin

Events are collected from binary:

scope:
    - binary=/usr/bin/dig

follow

Events collected follow process children:

scope:
    - follow