valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 18:08:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
98eb6a5055
osquery-1/specs/darwin/process_file_events.table

25 lines
1.3 KiB
Plaintext
Raw Blame History

table_name("process_file_events")
description("Process file events (open and close) from kernel extension.")
schema([
Column("action", TEXT,
"The action taken on the file (OPEN, CLOSED, or CLOSED_MODIFIED)"),
Column("pid", BIGINT, "Process ID of the process using the file"),
Column("parent", BIGINT, "Parent process ID of the process using the file"),
Column("uid", BIGINT, "Real user ID of the user process using the file"),
Column("euid", BIGINT, "Effective user ID of the process using the file"),
Column("gid", BIGINT, "Real group ID of the process using the file"),
Column("egid", BIGINT, "Effective group ID of the processs using the file"),
Column("owner_uid", BIGINT, "User ID of the owner of the file"),
Column("owner_gid", BIGINT, "Group ID of the owner of the file"),
Column("mode", BIGINT, "Indicates the mode of the file"),
Column("path", TEXT, "Path of file"),
Column("ctime", BIGINT, "Time of creation in UNIX epoch time"),
Column("atime", BIGINT, "Time of last access in UNIX epoch time"),
Column("mtime", BIGINT,
"Time of last modification in UNIX epoch time"),
Column("time", BIGINT, "Time of event in UNIX epoch time"),
Column("uptime", BIGINT, "Time of event in system uptime"),
])
attributes(event_subscriber=True)
implementation("process_file_events@process_file_events::genTable")
Reference in New Issue View Git Blame Copy Permalink