valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 10:23:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c485474ad6
osquery-1/specs/processes.table

51 lines
2.4 KiB
Plaintext
Raw Blame History

table_name("processes")
description("All running processes on the host system.")
schema([
Column("pid", BIGINT, "Process (or thread) ID", index=True),
Column("name", TEXT, "The process path or shorthand argv[0]"),
Column("path", TEXT, "Path to executed binary"),
Column("cmdline", TEXT, "Complete argv"),
Column("state", TEXT, "Process state"),
Column("cwd", TEXT, "Process current working directory"),
Column("root", TEXT, "Process virtual root directory"),
Column("uid", BIGINT, "Unsigned user ID"),
Column("gid", BIGINT, "Unsigned group ID"),
Column("euid", BIGINT, "Unsigned effective user ID"),
Column("egid", BIGINT, "Unsigned effective group ID"),
Column("suid", BIGINT, "Unsigned saved user ID"),
Column("sgid", BIGINT, "Unsigned saved group ID"),
Column("on_disk", INTEGER,
"The process path exists yes=1, no=0, unknown=-1"),
Column("wired_size", BIGINT, "Bytes of unpagable memory used by process"),
Column("resident_size", BIGINT, "Bytes of private memory used by process"),
Column("total_size", BIGINT, "Total virtual memory size",
aliases=["phys_footprint"]),
Column("user_time", BIGINT, "CPU time spent in user space"),
Column("system_time", BIGINT, "CPU time spent in kernel space"),
Column("disk_bytes_read", BIGINT, "Bytes read from disk"),
Column("disk_bytes_written", BIGINT, "Bytes written to disk"),
Column("start_time", BIGINT,
"Process start in seconds since boot (non-sleeping)"),
Column("parent", BIGINT, "Process parent's PID"),
Column("pgroup", BIGINT, "Process group"),
Column("threads", INTEGER, "Number of threads used by process"),
Column("nice", INTEGER, "Process nice level (-20 to 20, default 0)"),
])
extended_schema(WINDOWS, [
Column("is_elevated_token", INTEGER, "Process uses elevated token yes=1, no=0"),
])
extended_schema(LINUX, [
Column("cgroup_namespace", TEXT, "cgroup namespace inode"),
Column("ipc_namespace", TEXT, "ipc namespace inode"),
Column("mnt_namespace", TEXT, "mnt namespace inode"),
Column("net_namespace", TEXT, "net namespace inode"),
Column("pid_namespace", TEXT, "pid namespace inode"),
Column("user_namespace", TEXT, "user namespace inode"),
Column("uts_namespace", TEXT, "uts namespace inode")
])
attributes(cacheable=True)
implementation("system/processes@genProcesses")
examples([
"select * from processes where pid = 1",
])
Reference in New Issue View Git Blame Copy Permalink