Attention
Zercurity has been acquired by JumpCloud.
This documentation will no longer be maintained or updated. You can read more about the acquisition, or signup to JumpCloud today.
process_file_events¶
A File Integrity Monitor implementation using the audit service.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_file_events
- Linux
Table schema¶
Name | Type | Description |
---|---|---|
operation | TEXT | Operation type |
pid | BIGINT | Process ID |
ppid | BIGINT | Parent process ID |
time | BIGINT | Time of execution in UNIX time |
executable | TEXT | The executable path |
partial | TEXT | True if this is a partial event (i.e.: this process existed before we started osquery) |
cwd | TEXT | The current working directory of the process |
path | TEXT | The path associated with the event |
dest_path | TEXT | The canonical path associated with the event |
uid | TEXT | The uid of the process performing the action |
gid | TEXT | The gid of the process performing the action |
euid | TEXT | Effective user ID of the process using the file |
egid | TEXT | Effective group ID of the process using the file |
uptime | BIGINT | Time of execution in system uptime |
eid | TEXT | Event ID |