# A very simple config for introductory purpose. Not for the real-world!


# Binary directories
bin_dir: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

# Core binaries
core_binaries: proc.name in (ls, mkdir, cat, less, ps)

# Network traffic to/from standard utility
(fd.typechar = 4 or fd.typechar=6) and core_binaries

# System binary is modified
evt.type = write and bin_dir

# Shell running in container
container.id != host and proc.name = bash