The four BPF programs the agent attaches.
connect, exec, file open, DNS — what each one sees, what it doesn't see, and how events are correlated to the workflow step that caused them.
Executable docs ship with the install
The full reference for this topic — configuration files, code samples, CLI flags, API endpoints — ships inside every dpndncY installation so it always matches your installed version. This public-preview page lists what the in-product docs cover.
In the in-product docs
- sys_enter_connect: outbound TCP/UDP visibility, IPv4 + IPv6
- sched_process_exec: argv, cwd, parent pid, ancestry to the workflow step
- security_file_open: sensitive-file allowlist (SSH keys, /etc/shadow, /proc/self/maps, …)
- uprobe:libc:getaddrinfo: every DNS lookup with the resolved address family
- Event correlation: tracing pid → cgroup → workflow step
- Kernel version requirements (BTF + CO-RE)