drop cri-o log · parse pod lifecycle
flags privileged pod specs · hostPID/hostNetwork · image pull from untrusted registries · sandbox lifecycle
heuristic screener · cri-o log format varies by distro/version — parsing is best-effort · not definitive proof