Skip to main content

parse_syscall_events

agentzero_core::security::syscall_anomaly

Function parse_syscall_events 

Source 
pub fn parse_syscall_events(output: &str) -> Vec<SyscallEvent>
Expand description

Parse command output for syscall events.

Recognises:

  • strace-style lines: openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3
  • audit log lines: type=SYSCALL ... syscall=59 ... denied
  • seccomp lines: audit: seccomp ... syscall=read ...