process_file_events

A File Integrity Monitor implementation using the audit service.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: process_file_events

  • Linux

Table schema

Name Type Description
operation TEXT Operation type
pid BIGINT Process ID
ppid BIGINT Parent process ID
time BIGINT Time of execution in UNIX time
executable TEXT The executable path
partial TEXT True if this is a partial event (i.e.: this process existed before we started osquery)
cwd TEXT The current working directory of the process
path TEXT The path associated with the event
dest_path TEXT The canonical path associated with the event
uid TEXT The uid of the process performing the action
gid TEXT The gid of the process performing the action
euid TEXT Effective user ID of the process using the file
egid TEXT Effective group ID of the process using the file
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID

Query examples

Select all the results for the given table.

SELECT * FROM process_file_events;