valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
081ea9e76d
osquery-1/specs/darwin/process_file_events.table

26 lines
1.4 KiB
Plaintext
Raw Blame History

table_name("process_file_events")
description("Process file events (open and close) from kernel extension.")
schema([
Column("action", TEXT,
"The action taken on the file (OPEN, CLOSED, or CLOSED_MODIFIED)"),
Column("pid", BIGINT, "Process ID of the process using the file"),
Column("path", TEXT, "Path of file"),
Column("parent", BIGINT, "Parent process ID of the process using the file"),
Column("uid", BIGINT, "Real user ID of the user process using the file"),
Column("euid", BIGINT, "Effective user ID of the process using the file"),
Column("gid", BIGINT, "Real group ID of the process using the file"),
Column("egid", BIGINT, "Effective group ID of the processs using the file"),
Column("mode", BIGINT, "Indicates the mode of the file"),
Column("owner_uid", BIGINT, "User ID of the owner of the file"),
Column("owner_gid", BIGINT, "Group ID of the owner of the file"),
Column("atime", BIGINT, "Time of last access in UNIX epoch time"),
Column("mtime", BIGINT,
"Time of last modification in UNIX epoch time"),
Column("ctime", BIGINT, "Time of last status change"),
Column("time", BIGINT, "Time of event in UNIX epoch time"),
Column("uptime", BIGINT, "Time of event in system uptime"),
Column("eid", TEXT, "Event ID", hidden=True),
])
attributes(event_subscriber=True)
implementation("process_file_events@process_file_events::genTable")
Reference in New Issue View Git Blame Copy Permalink