process_file_events

A File Integrity Monitor implementation using the audit service.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_file_events

  • Linux

Table schema

Name

Type

Description

operation

TEXT

Operation type

pid

BIGINT

Process ID

ppid

BIGINT

Parent process ID

time

BIGINT

Time of execution in UNIX time

executable

TEXT

The executable path

partial

TEXT

True if this is a partial event (i.e.: this process existed before we started osquery)

cwd

TEXT

The current working directory of the process

path

TEXT

The path associated with the event

dest_path

TEXT

The canonical path associated with the event

uid

TEXT

The uid of the process performing the action

gid

TEXT

The gid of the process performing the action

euid

TEXT

Effective user ID of the process using the file

egid

TEXT

Effective group ID of the process using the file

uptime

BIGINT

Time of execution in system uptime

eid

TEXT

Event ID

Query examples

Select all the results for the given table.

SELECT * FROM process_file_events;