``` if (match) { if (val && (val->processmask & RULE_OWNER)) { if (!is_owner(bprm->file)) { bpf_ringbuf_submit(task_info, 0); return -EPERM; } else { bpf_ringbuf_discard(task_info, 0); return ret; } } if (val && (val->processmask & RULE_DENY)) { bpf_ringbuf_submit(task_info, 0); return -EPERM; } } bpf_map_update_elem(&bufk, &two, z, BPF_ANY); pk->path[0] = dproc; struct data_t *allow = bpf_map_lookup_elem(inner, pk); if (allow) { if (!match) { bpf_ringbuf_submit(task_info, 0); if allow.audit { return ret; } else { return -EPERM; } } // Do not remove this else block else { bpf_ringbuf_discard(task_info, 0); return ret; } } ``` DefaultPosture = Audit Allow based mei create audit alerts // Data Index for rules const ( PROCESS = 0 FILE = 1 NETWORK = 0 ) var ( PROCWHITELIST = InnerKey{Path: [256]byte{101}} FILEWHITELIST = InnerKey{Path: [256]byte{102}} NETWHITELIST = InnerKey{Path: [256]byte{103}} PROCWHITELIST_audit = InnerKey{Path: [256]byte{104}} FILEWHITELIST_audit = InnerKey{Path: [256]byte{105}} NETWHITELIST_audit = InnerKey{Path: [256]byte{106}} )