Linux Process

process

Extends the process object to add Linux specific fields

Attributes

CaptionNameTypeDescription
AncestryancestryProcess Entity[]

An array of Process Entities describing the extended parentage of this process object. Direct parent information sould be expressed through the parent_process attribute. The first array element is the direct parent of this process object. Subsequent list elements go up the process parentage hierarchy. That is, the array is sorted from newest to oldest process. It is recommended to only populate this field for the top-level process object.

Audit User IDauidInteger

The audit user assigned at login by the audit subsystem.

Command Linecmd_lineString

Entity:COMMAND_LINE
The full command line used to launch an application, service, process, or job. For example: ssh [email protected]. If the command line is unavailable or missing, the empty string '' is to be used.

ContainercontainerContainer[]

Entity:CONTAINER
Group:context
The information describing an instance of a container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

Created Timecreated_timeTimestamp

The time when the process was created/started.

Effective Group IDegidInteger

The effective group under which this process is running.

Environment Variablesenvironment_variablesEnvironment Variable[]

Environment variables associated with the process.

Effective User IDeuidInteger

The effective user under which this process is running.

FilefileFile[]

Entity:FILE
The process file object.

GroupgroupGroup[]

The group under which this process is running.

IntegrityintegrityString

The process integrity level, normalized to the caption of the integrity_id value. In the case of 'Other', it is defined by the event source (Windows only).

Integrity Levelintegrity_idInteger

The normalized identifier of the process integrity level (Windows only).

  • 0: Unknown (UNKNOWN)
  • 1: Untrusted (UNTRUSTED)
  • 2: Low (LOW)
  • 3: Medium (MEDIUM)
  • 4: High (HIGH)
  • 5: System (SYSTEM)
  • 6: Protected (PROTECTED)
  • 99: Other (OTHER)
LineagelineageString[]

The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami'].

🚧 WARNING: DEPRECATED

Lineage has been deprecated since 1.4.0. Use the ancestry attribute.

Loaded Modulesloaded_modulesString[]

The list of loaded module names.

NamenameProcess Name

Entity:PROCESS_NAME
The friendly name of the process, for example: Notepad++.

Namespace PIDnamespace_pidInteger

Group:context
If running under a process namespace (such as in a container), the process identifier within that process namespace.

Parent Processparent_processLinux Process[]

Entity:PROCESS
The parent process of this process object. It is recommended to only populate this field for the top-level process object, to prevent deep nesting. Additional ancestry information can be supplied in the ancestry attribute.

PathpathString

The process file path.

Process IDpidInteger

Entity:PROCESS_ID
The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process.

Raw Dataraw_dataJSON

Group:context
The event data as received from the event source.

Record IDrecord_idString

Group:primary
Unique identifier for the object

SandboxsandboxString

The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps.

SessionsessionSession[]

The user session under which this process is running.

Terminated Timeterminated_timeTimestamp

The time when the process was terminated.

Thread IDtidInteger

The Identifier of the thread associated with the event, as returned by the operating system.

Unique IDuidString

A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process.

UnmappedunmappedUnmapped[]

Data from the source that was not mapped into the schema.

UseruserUser[]

Entity:USER
The user under which this process is running.

Working Directoryworking_directoryString

The working directory of a process.

Extended AttributesxattributesJSON

An unordered collection of zero or more name/value pairs that represent a process extended attribute.

Relationships

Linux Process shown in context

Inbound Relationships

These objects and events reference Linux Process in their attributes:

Outbound Relationships

Linux Process references the following objects and events in its attributes:

This page describes ocsf-1.4.0