rule { rule_name = "open-etc-passwd" syscall_name = open filter_expression = { PARAMS[1] == "/etc/passwd" } when = after action { type = LOG log_format {%pid[%comm] opened /etc/passwd, params: (%params) fd: %retval} } } rule { rule_name = "write-etc-passwd" syscall_name = write filter_expression = { PARAMS[1] == 3 && COMM =~ "vi" } when = before action { type = LOG } }