osquery-1/specs/utility/file.table

table_name("file")
description("Interactive filesystem attributes and metadata.")
schema([
    Column("path", TEXT, "Absolute file path", required=True, index=True),
    Column("directory", TEXT, "Directory of file(s)", required=True),
    Column("filename", TEXT, "Name portion of file path"),
    Column("inode", BIGINT, "Filesystem inode number"),
    Column("uid", BIGINT, "Owning user ID"),
    Column("gid", BIGINT, "Owning group ID"),
    Column("mode", TEXT, "Permission bits"),
    Column("device", BIGINT, "Device ID (optional)"),
    Column("size", BIGINT, "Size of file in bytes"),
    Column("block_size", INTEGER, "Block size of filesystem"),
    Column("atime", BIGINT, "Last access time"),
    Column("mtime", BIGINT, "Last modification time"),
    Column("ctime", BIGINT, "Last status change time"),
    Column("btime", BIGINT, "(B)irth or (cr)eate time"),
    Column("hard_links", INTEGER, "Number of hard links"),
    Column("symlink", INTEGER, "1 if the path is a symlink, otherwise 0"),
    Column("type", TEXT, "File status"),
])
extended_schema(WINDOWS, [
    Column("attributes", TEXT, "File attrib string. See: https://ss64.com/nt/attrib.html"),
    Column("volume_serial", TEXT, "Volume serial number"),
    Column("file_id", TEXT, "file ID"),
    Column("file_version", TEXT, "File version"),
    Column("product_version", TEXT, "File product version"),
])
extended_schema(DARWIN, [
    Column("bsd_flags", TEXT, "The BSD file flags (chflags). Possible values: NODUMP, UF_IMMUTABLE, UF_APPEND, OPAQUE, HIDDEN, ARCHIVED, SF_IMMUTABLE, SF_APPEND")
])
extended_schema(LINUX, [
    Column("pid_with_namespace", INTEGER, "Pids that contain a namespace", additional=True, hidden=True),
    Column("mount_namespace_id", TEXT, "Mount namespace id", hidden=True),
])
attributes(utility=True)
implementation("utility/file@genFile")
examples([
  "select * from file where path = '/etc/passwd'",
  "select * from file where directory = '/etc/'",
  "select * from file where path LIKE '/etc/%'",
])