osquery-1/specs/linux/process_file_events.table

24 lines
1.2 KiB
Plaintext

table_name("process_file_events")
description("A File Integrity Monitor implementation using the audit service.")
schema([
Column("operation", TEXT, "Operation type"),
Column("pid", BIGINT, "Process ID"),
Column("ppid", BIGINT, "Parent process ID"),
Column("time", BIGINT, "Time of execution in UNIX time"),
Column("executable", TEXT, "The executable path"),
Column("partial", TEXT, "True if this is a partial event (i.e.: this process existed before we started osquery)"),
Column("cwd", TEXT, "The current working directory of the process"),
Column("path", TEXT, "The path associated with the event"),
Column("dest_path", TEXT, "The canonical path associated with the event"),
Column("uid", TEXT, "The uid of the process performing the action"),
Column("gid", TEXT, "The gid of the process performing the action"),
Column("euid", TEXT, "Effective user ID of the process using the file"),
Column("egid", TEXT, "Effective group ID of the process using the file"),
Column("uptime", BIGINT, "Time of execution in system uptime"),
Column("eid", TEXT, "Event ID", hidden=True),
])
attributes(event_subscriber=True)
implementation("process_file_events@process_file_events::genTable")