This rule detects potential security risks associated with the usage of the '--unsafe' option in bpftrace commands. Bpftrace is a powerful tracing tool for Linux that allows users to write scripts to gather and analyze kernel and system information. The usage of the '--unsafe' option can expose the system to various vulnerabilities, potentially allowing users to execute arbitrary code or gain elevated privileges. This rule focuses on monitoring process creation events specifically for bpftrace executables that are invoked with the '--unsafe' flag present in the command line. The detection condition is triggered when the command line of the executed bpftrace process contains the '--unsafe' parameter. Be aware that legitimate administrative use may result in false positives, thus it's crucial to verify the context of such usages before taking action.