The custom_probes file can contain any valid Bourne shell command, variable, or algorithm.
You can define probe and comparison functions that require a single argument in the custom_probes file. When you use the corresponding custom probe keyword in the rules file, the argument after the keyword is interpreted (as $1).
When you use the corresponding custom rule keyword in the rules file, the arguments are interpreted in sequence. The sequence starts after the keyword and ends before the next && or begin script, whichever comes first.
Have root as its owner
Be executable and have permissions set to 755
Contain at least one probe function and one corresponding comparison function
To improve clarity and organization, define all probe functions first, at the top of the file, followed by all comparison functions.