ContextQMD
Back to Falco

Open Read

content/en/docs/reference/rules/default-macros/open_read.md

latest138 B
Original Source
yaml
- macro: open_read
  condition: (evt.type=open or evt.type=openat) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0