valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
135bc9d1cf
osquery-1/specs/processes.table

49 lines
2.5 KiB
Plaintext
Raw Blame History

table_name("processes")
description("All running processes on the host system.")
schema([
Column("pid", BIGINT, "Process (or thread) ID", index=True),
Column("name", TEXT, "The process path or shorthand argv[0]"),
Column("path", TEXT, "Path to executed binary"),
Column("cmdline", TEXT, "Complete argv"),
Column("state", TEXT, "Process state"),
Column("cwd", TEXT, "Process current working directory"),
Column("root", TEXT, "Process virtual root directory"),
Column("uid", BIGINT, "Unsigned user ID"),
Column("gid", BIGINT, "Unsigned group ID"),
Column("euid", BIGINT, "Unsigned effective user ID"),
Column("egid", BIGINT, "Unsigned effective group ID"),
Column("suid", BIGINT, "Unsigned saved user ID"),
Column("sgid", BIGINT, "Unsigned saved group ID"),
Column("on_disk", INTEGER,
"The process path exists yes=1, no=0, unknown=-1"),
Column("wired_size", BIGINT, "Bytes of unpagable memory used by process"),
Column("resident_size", BIGINT, "Bytes of private memory used by process"),
Column("total_size", BIGINT, "Total virtual memory size",
aliases=["phys_footprint"]),
Column("user_time", BIGINT, "CPU time in milliseconds spent in user space"),
Column("system_time", BIGINT, "CPU time in milliseconds spent in kernel space"),
Column("disk_bytes_read", BIGINT, "Bytes read from disk"),
Column("disk_bytes_written", BIGINT, "Bytes written to disk"),
Column("start_time", BIGINT,
"Process start in seconds since boot (non-sleeping)"),
Column("parent", BIGINT, "Process parent's PID"),
Column("pgroup", BIGINT, "Process group"),
Column("threads", INTEGER, "Number of threads used by process"),
Column("nice", INTEGER, "Process nice level (-20 to 20, default 0)"),
])
extended_schema(WINDOWS, [
Column("is_elevated_token", INTEGER, "Process uses elevated token yes=1, no=0"),
])
extended_schema(DARWIN, [
Column("upid", BIGINT, "A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system."),
Column("uppid", BIGINT, "The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system."),
Column("cpu_type", INTEGER, "A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system."),
Column("cpu_subtype", INTEGER, "The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system."),
])
attributes(cacheable=True)
implementation("system/processes@genProcesses")
examples([
"select * from processes where pid = 1",
])
Reference in New Issue View Git Blame Copy Permalink