mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-06 09:35:20 +00:00
84b7f4f7a4
Summary: Pull Request resolved: https://github.com/facebook/osquery/pull/5414 Now on different platforms column `start_time` in `processes` table means different things. On Linux it is seconds since system boot, but it works correct only for some platforms, because the number of clock ticks per second was hardcoded. On windows it was abs unix time in seconds since Epoch. On macos it is a time in milliseconds (may be?) since system boot. On freeBSD as far as I can see it an abs time since boot, but also I'm not sure. In order to make it consistent for all OS we changed to more convenient format - absolute time since Epoch. This commit is about Linux. Next diffs going to be about Darwin and freeBSD. Reviewed By: guliashvili Differential Revision: D13918626 fbshipit-source-id: a9cf0570dc6ac9fa125bc8233e9965c4e01566a6
50 lines
3.0 KiB
Plaintext
50 lines
3.0 KiB
Plaintext
table_name("processes")
|
|
description("All running processes on the host system.")
|
|
schema([
|
|
Column("pid", BIGINT, "Process (or thread) ID", index=True),
|
|
Column("name", TEXT, "The process path or shorthand argv[0]"),
|
|
Column("path", TEXT, "Path to executed binary"),
|
|
Column("cmdline", TEXT, "Complete argv"),
|
|
Column("state", TEXT, "Process state"),
|
|
Column("cwd", TEXT, "Process current working directory"),
|
|
Column("root", TEXT, "Process virtual root directory"),
|
|
Column("uid", BIGINT, "Unsigned user ID"),
|
|
Column("gid", BIGINT, "Unsigned group ID"),
|
|
Column("euid", BIGINT, "Unsigned effective user ID"),
|
|
Column("egid", BIGINT, "Unsigned effective group ID"),
|
|
Column("suid", BIGINT, "Unsigned saved user ID"),
|
|
Column("sgid", BIGINT, "Unsigned saved group ID"),
|
|
Column("on_disk", INTEGER,
|
|
"The process path exists yes=1, no=0, unknown=-1"),
|
|
Column("wired_size", BIGINT, "Bytes of unpagable memory used by process"),
|
|
Column("resident_size", BIGINT, "Bytes of private memory used by process"),
|
|
Column("total_size", BIGINT, "Total virtual memory size",
|
|
aliases=["phys_footprint"]),
|
|
Column("user_time", BIGINT, "CPU time in milliseconds spent in user space"),
|
|
Column("system_time", BIGINT, "CPU time in milliseconds spent in kernel space"),
|
|
Column("disk_bytes_read", BIGINT, "Bytes read from disk"),
|
|
Column("disk_bytes_written", BIGINT, "Bytes written to disk"),
|
|
Column("start_time", BIGINT, "Process start time in seconds since Epoch, in case of error -1"),
|
|
Column("parent", BIGINT, "Process parent's PID"),
|
|
Column("pgroup", BIGINT, "Process group"),
|
|
Column("threads", INTEGER, "Number of threads used by process"),
|
|
Column("nice", INTEGER, "Process nice level (-20 to 20, default 0)"),
|
|
])
|
|
extended_schema(WINDOWS, [
|
|
Column("is_elevated_token", INTEGER, "Process uses elevated token yes=1, no=0"),
|
|
Column("elapsed_time", BIGINT, "Elapsed time in seconds this process has been running."),
|
|
Column("handle_count", BIGINT, "Total number of handles that the process has open. This number is the sum of the handles currently opened by each thread in the process."),
|
|
Column("percent_processor_time", BIGINT, "Returns elapsed time that all of the threads of this process used the processor to execute instructions in 100 nanoseconds ticks."),
|
|
])
|
|
extended_schema(DARWIN, [
|
|
Column("upid", BIGINT, "A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system."),
|
|
Column("uppid", BIGINT, "The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system."),
|
|
Column("cpu_type", INTEGER, "A 64bit pid that is never reused. Returns -1 if we couldn't gather them from the system."),
|
|
Column("cpu_subtype", INTEGER, "The 64bit parent pid that is never reused. Returns -1 if we couldn't gather them from the system."),
|
|
])
|
|
attributes(cacheable=True, strongly_typed_rows=True)
|
|
implementation("system/processes@genProcesses")
|
|
examples([
|
|
"select * from processes where pid = 1",
|
|
])
|