process_events¶
Track time/action process executions.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_events
- Linux
- Mac OSX
Table schema¶
Name | Type | Description |
---|---|---|
pid | BIGINT | Process (or thread) ID |
path | TEXT | Path of executed file |
mode | TEXT | File mode permissions |
cmdline | TEXT | Command line arguments (argv) |
cmdline_size | BIGINT | Actual size (bytes) of command line arguments |
env | TEXT | Environment variables delimited by spaces |
env_count | BIGINT | Number of environment variables |
env_size | BIGINT | Actual size (bytes) of environment list |
cwd | TEXT | The process current working directory |
auid | BIGINT | Audit User ID at process start |
uid | BIGINT | User ID at process start |
euid | BIGINT | Effective user ID at process start |
gid | BIGINT | Group ID at process start |
egid | BIGINT | Effective group ID at process start |
owner_uid | BIGINT | File owner user ID |
owner_gid | BIGINT | File owner group ID |
atime | BIGINT | File last access in UNIX time |
mtime | BIGINT | File modification in UNIX time |
ctime | BIGINT | File last metadata change in UNIX time |
btime | BIGINT | File creation in UNIX time |
overflows | TEXT | List of structures that overflowed |
parent | BIGINT | Process parent’s PID, or -1 if cannot be determined. |
time | BIGINT | Time of execution in UNIX time |
uptime | BIGINT | Time of execution in system uptime |
eid | TEXT | Event ID |
status | BIGINT | OpenBSM Attribute: Status of the process |