process_file_events

Process file events (open and close) from kernel extension.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_file_events

Table schema

Name Type Description
action TEXT The action taken on the file (OPEN, CLOSED, or CLOSED_MODIFIED)
pid BIGINT Process ID of the process using the file
path TEXT Path of file
parent BIGINT Parent process ID of the process using the file
uid BIGINT Real user ID of the user process using the file
euid BIGINT Effective user ID of the process using the file
gid BIGINT Real group ID of the process using the file
egid BIGINT Effective group ID of the processs using the file
mode BIGINT Indicates the mode of the file
owner_uid BIGINT User ID of the owner of the file
owner_gid BIGINT Group ID of the owner of the file
atime BIGINT Time of last access in UNIX epoch time
mtime BIGINT Time of last modification in UNIX epoch time
ctime BIGINT Time of last status change
time BIGINT Time of event in UNIX epoch time
uptime BIGINT Time of event in system uptime
eid TEXT Event ID

Query examples

Select all the results for the given table.

SELECT * FROM process_file_events;