socket_events¶
Track network socket opens and closes.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: socket_events
- Linux
Table schema¶
Name | Type | Description |
---|---|---|
action | TEXT | The socket action (bind, listen, close) |
pid | BIGINT | Process (or thread) ID |
path | TEXT | Path of executed file |
fd | TEXT | The file description for the process socket |
auid | BIGINT | Audit User ID |
success | INTEGER | The socket open attempt status |
family | INTEGER | The Internet protocol family ID |
protocol | INTEGER | The network protocol ID |
local_address | TEXT | Local address associated with socket |
remote_address | TEXT | Remote address associated with socket |
local_port | INTEGER | Local network protocol port number |
remote_port | INTEGER | Remote network protocol port number |
socket | TEXT | The local path (UNIX domain socket only) |
time | BIGINT | Time of execution in UNIX time |
uptime | BIGINT | Time of execution in system uptime |
eid | TEXT | Event ID |