Track time/action process executions.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_events

  • Linux
  • Mac OSX

Table schema

Name Type Description
pid BIGINT Process (or thread) ID
path TEXT Path of executed file
mode TEXT File mode permissions
cmdline TEXT Command line arguments (argv)
cmdline_size BIGINT Actual size (bytes) of command line arguments
env TEXT Environment variables delimited by spaces
env_count BIGINT Number of environment variables
env_size BIGINT Actual size (bytes) of environment list
cwd TEXT The process current working directory
auid BIGINT Audit User ID at process start
uid BIGINT User ID at process start
euid BIGINT Effective user ID at process start
gid BIGINT Group ID at process start
egid BIGINT Effective group ID at process start
owner_uid BIGINT File owner user ID
owner_gid BIGINT File owner group ID
atime BIGINT File last access in UNIX time
mtime BIGINT File modification in UNIX time
ctime BIGINT File last metadata change in UNIX time
btime BIGINT File creation in UNIX time
overflows TEXT List of structures that overflowed
parent BIGINT Process parent’s PID, or -1 if cannot be determined.
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID
status BIGINT OpenBSM Attribute: Status of the process

Query examples

Select all the results for the given table.

SELECT * FROM process_events;