mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-08 02:18:53 +00:00
24 lines
1.2 KiB
Plaintext
24 lines
1.2 KiB
Plaintext
table_name("process_file_events")
|
|
description("A File Integrity Monitor implementation using the audit service.")
|
|
|
|
schema([
|
|
Column("operation", TEXT, "Operation type"),
|
|
Column("pid", BIGINT, "Process ID"),
|
|
Column("ppid", BIGINT, "Parent process ID"),
|
|
Column("time", BIGINT, "Time of execution in UNIX time"),
|
|
Column("executable", TEXT, "The executable path"),
|
|
Column("partial", TEXT, "True if this is a partial event (i.e.: this process existed before we started osquery)"),
|
|
Column("cwd", TEXT, "The current working directory of the process"),
|
|
Column("path", TEXT, "The path associated with the event"),
|
|
Column("dest_path", TEXT, "The canonical path associated with the event"),
|
|
Column("uid", TEXT, "The uid of the process performing the action"),
|
|
Column("gid", TEXT, "The gid of the process performing the action"),
|
|
Column("euid", TEXT, "Effective user ID of the process using the file"),
|
|
Column("egid", TEXT, "Effective group ID of the process using the file"),
|
|
Column("uptime", BIGINT, "Time of execution in system uptime"),
|
|
Column("eid", TEXT, "Event ID", hidden=True),
|
|
])
|
|
|
|
attributes(event_subscriber=True)
|
|
implementation("process_file_events@process_file_events::genTable")
|