mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 01:55:20 +00:00
26 lines
1.3 KiB
Plaintext
26 lines
1.3 KiB
Plaintext
table_name("file_events")
|
|
description("Track time/action changes to files specified in configuration data.")
|
|
schema([
|
|
Column("target_path", TEXT, "The path associated with the event"),
|
|
Column("category", TEXT, "The category of the file defined in the config"),
|
|
Column("action", TEXT, "Change action (UPDATE, REMOVE, etc)"),
|
|
Column("transaction_id", BIGINT, "ID used during bulk update"),
|
|
Column("inode", BIGINT, "Filesystem inode number"),
|
|
Column("uid", BIGINT, "Owning user ID"),
|
|
Column("gid", BIGINT, "Owning group ID"),
|
|
Column("mode", TEXT, "Permission bits"),
|
|
Column("size", BIGINT, "Size of file in bytes"),
|
|
Column("atime", BIGINT, "Last access time"),
|
|
Column("mtime", BIGINT, "Last modification time"),
|
|
Column("ctime", BIGINT, "Last status change time"),
|
|
Column("md5", TEXT, "The MD5 of the file after change"),
|
|
Column("sha1", TEXT, "The SHA1 of the file after change"),
|
|
Column("sha256", TEXT, "The SHA256 of the file after change"),
|
|
Column("hashed", INTEGER,
|
|
"1 if the file was hashed, 0 if not, -1 if hashing failed"),
|
|
Column("time", BIGINT, "Time of file event"),
|
|
Column("eid", TEXT, "Event ID", hidden=True),
|
|
])
|
|
attributes(event_subscriber=True)
|
|
implementation("file_events@file_events::genTable")
|