Class: LinuxProcess
Extends the process object to add Linux specific fields
URI: ocsf:LinuxProcess
classDiagram
class LinuxProcess
click LinuxProcess href "../LinuxProcess/"
LinuxUsersProfile <|-- LinuxProcess
click LinuxUsersProfile href "../LinuxUsersProfile/"
Process <|-- LinuxProcess
click Process href "../Process/"
LinuxProcess : ancestry
LinuxProcess --> "*" ProcessEntity : ancestry
click ProcessEntity href "../ProcessEntity/"
LinuxProcess : auid
LinuxProcess : cmd_line
LinuxProcess : container
LinuxProcess --> "0..1 _recommended_" Container : container
click Container href "../Container/"
LinuxProcess : cpid
LinuxProcess : created_time
LinuxProcess : egid
LinuxProcess : environment_variables
LinuxProcess --> "*" EnvironmentVariable : environment_variables
click EnvironmentVariable href "../EnvironmentVariable/"
LinuxProcess : euid
LinuxProcess : file
LinuxProcess --> "0..1 _recommended_" File : file
click File href "../File/"
LinuxProcess : group
LinuxProcess --> "0..1 _recommended_" Group : group
click Group href "../Group/"
LinuxProcess : integrity
LinuxProcess : integrity_id
LinuxProcess --> "0..1" IntegrityIdEnum : integrity_id
click IntegrityIdEnum href "../IntegrityIdEnum/"
LinuxProcess : lineage
LinuxProcess : loaded_modules
LinuxProcess : name
LinuxProcess : namespace_pid
LinuxProcess : parent_process
LinuxProcess --> "0..1 _recommended_" Process : parent_process
click Process href "../Process/"
LinuxProcess : path
LinuxProcess : pid
LinuxProcess : ptid
LinuxProcess : sandbox
LinuxProcess : session
LinuxProcess --> "0..1" Session : session
click Session href "../Session/"
LinuxProcess : terminated_time
LinuxProcess : tid
LinuxProcess : uid
LinuxProcess : user
LinuxProcess --> "0..1 _recommended_" User : user
click User href "../User/"
LinuxProcess : working_directory
LinuxProcess : xattributes
LinuxProcess --> "0..1" Object : xattributes
click Object href "../Object/"
Inheritance
- OcsfObject
- Object
- Entity
- ProcessEntity
- Process [ ContainerProfile]
- LinuxProcess [ LinuxUsersProfile]
- Process [ ContainerProfile]
- ProcessEntity
- Entity
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| auid | 0..1 Integer |
The audit user assigned at login by the audit subsystem | LinuxUsersProfile |
| egid | 0..1 Integer |
The effective group under which this process is running | LinuxUsersProfile |
| euid | 0..1 Integer |
The effective user under which this process is running | LinuxUsersProfile |
| group | 0..1 recommended Group |
The group under which this process is running | LinuxUsersProfile |
| ancestry | * ProcessEntity |
An array of Process Entities describing the extended parentage of this proces... | Process |
| environment_variables | * EnvironmentVariable |
Environment variables associated with the process | Process |
| file | 0..1 recommended File |
The process file object | Process |
| integrity | 0..1 String |
The process integrity level, normalized to the caption of the integrity_id | Process |
| integrity_id | 0..1 IntegrityIdEnum |
The normalized identifier of the process integrity level (Windows only) | Process |
| lineage | * FilePathT |
The lineage of the process, represented by a list of paths for each ancestor | Process |
| loaded_modules | * String |
The list of loaded module names | Process |
| parent_process | 0..1 recommended Process |
The parent process of this process object | Process |
| ptid | 0..1 Integer |
The identifier of the process thread associated with the event, as returned b... | Process |
| sandbox | 0..1 String |
The name of the containment jail (i | Process |
| session | 0..1 Session |
The user session under which this process is running | Process |
| terminated_time | 0..1 TimestampT |
The time when the process was terminated | Process |
| tid | 0..1 Integer |
The identifier of the thread associated with the event, as returned by the | Process |
| user | 0..1 recommended User |
The user under which this process is running | Process |
| working_directory | 0..1 String |
The working directory of a process | Process |
| xattributes | 0..1 Object |
An unordered collection of zero or more name/value pairs that represent a | Process |
| container | 0..1 recommended Container |
The information describing an instance of a container | ContainerProfile |
| namespace_pid | 0..1 recommended Integer |
If running under a process namespace (such as in a container), the process | ContainerProfile |
| cmd_line | 0..1 recommended String |
The full command line used to launch an application, service, process, or job | ProcessEntity |
| cpid | 0..1 recommended UuidT |
A unique process identifier that can be assigned deterministically by multipl... | ProcessEntity |
| created_time | 0..1 recommended TimestampT |
The time when the process was created/started | ProcessEntity |
| name | 0..1 recommended String |
The friendly name of the process, for example: Notepad++ |
Entity, ProcessEntity |
| path | 0..1 String |
The process file path | ProcessEntity |
| pid | 0..1 recommended Integer |
The process identifier, as reported by the operating system | ProcessEntity |
| uid | 0..1 recommended String |
A unique identifier for this process assigned by the producer (tool) | Entity, ProcessEntity |
In Subsets
Aliases
- Linux Process
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_extension | linux |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:LinuxProcess |
| native | ocsf:LinuxProcess |
| exact | uco_master:UNIXProcess |
LinkML Source
Direct
name: LinuxProcess
annotations:
ocsf_extension:
tag: ocsf_extension
value: linux
description: Extends the process object to add Linux specific fields
in_subset:
- linux_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Linux Process
exact_mappings:
- uco_master:UNIXProcess
is_a: Process
mixins:
- LinuxUsersProfile
Induced
name: LinuxProcess
annotations:
ocsf_extension:
tag: ocsf_extension
value: linux
description: Extends the process object to add Linux specific fields
in_subset:
- linux_extension_subset
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Linux Process
exact_mappings:
- uco_master:UNIXProcess
is_a: Process
mixins:
- LinuxUsersProfile
attributes:
auid:
name: auid
description: The audit user assigned at login by the audit subsystem.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Audit User ID
rank: 1000
alias: auid
owner: LinuxProcess
domain_of:
- LinuxUsersProfile
range: integer
egid:
name: egid
description: The effective group under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Effective Group ID
rank: 1000
alias: egid
owner: LinuxProcess
domain_of:
- LinuxUsersProfile
- MacosUsersProfile
range: integer
euid:
name: euid
description: The effective user under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Effective User ID
rank: 1000
alias: euid
owner: LinuxProcess
domain_of:
- LinuxUsersProfile
- MacosUsersProfile
range: integer
group:
name: group
description: The group under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Group
rank: 1000
alias: group
owner: LinuxProcess
domain_of:
- QueryEvidence
- Api
- ApplicationObject
- Databucket
- ManagedEntity
- Policy
- ResourceDetails
- AdminGroupQuery
- AuthorizeSession
- GroupManagement
- LinuxUsersProfile
range: Group
recommended: true
ancestry:
name: ancestry
description: 'An array of Process Entities describing the extended parentage of
this process
object. Direct parent information should be expressed through the
<code>parent_process</code> attribute. The first array element is the direct
parent of this process object. Subsequent list elements go up the process
parentage hierarchy. That is, the array is sorted from newest to oldest
process. It is recommended to only populate this field for the top-level
process object.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Ancestry
rank: 1000
alias: ancestry
owner: LinuxProcess
domain_of:
- Process
range: ProcessEntity
multivalued: true
environment_variables:
name: environment_variables
description: Environment variables associated with the process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Environment Variables
rank: 1000
alias: environment_variables
owner: LinuxProcess
domain_of:
- Process
range: EnvironmentVariable
multivalued: true
file:
name: file
description: The process file object.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: LinuxProcess
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
recommended: true
integrity:
name: integrity
description: 'The process integrity level, normalized to the caption of the integrity_id
value. In the case of ''Other'', it is defined by the event source (Windows
only).'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity
rank: 1000
alias: integrity
owner: LinuxProcess
domain_of:
- Process
range: string
integrity_id:
name: integrity_id
annotations:
sibling:
tag: sibling
value: integrity
description: The normalized identifier of the process integrity level (Windows
only).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Integrity Level
rank: 1000
alias: integrity_id
owner: LinuxProcess
domain_of:
- Process
range: IntegrityIdEnum
lineage:
name: lineage
description: 'The lineage of the process, represented by a list of paths for each
ancestor
process. For example: <code>[''/usr/sbin/sshd'', ''/usr/bin/bash'',
''/usr/bin/whoami'']</code>.'
deprecated: Use the <code>ancestry</code> attribute.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Lineage
rank: 1000
alias: lineage
owner: LinuxProcess
domain_of:
- Process
range: FilePathT
multivalued: true
loaded_modules:
name: loaded_modules
description: The list of loaded module names.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Loaded Modules
rank: 1000
alias: loaded_modules
owner: LinuxProcess
domain_of:
- Process
range: string
multivalued: true
parent_process:
name: parent_process
description: 'The parent process of this process object. It is recommended to
only populate
this field for the top-level process object, to prevent deep nesting.
Additional ancestry information can be supplied in the <code>ancestry</code>
attribute.'
notes:
- 'Guidance on Representing Process Parentage —
https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/ocsf-docs/blob/main/articles/representing-process-parentage.md
aliases:
- Parent Process
rank: 1000
alias: parent_process
owner: LinuxProcess
domain_of:
- Process
range: Process
recommended: true
ptid:
name: ptid
description: 'The identifier of the process thread associated with the event,
as returned by
the operating system.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process Thread ID
rank: 1000
alias: ptid
owner: LinuxProcess
domain_of:
- Process
range: integer
sandbox:
name: sandbox
description: 'The name of the containment jail (i.e., sandbox). For example, hardened_ps,
high_security_ps, oracle_ps, netsvcs_ps, or default_ps.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Sandbox
rank: 1000
alias: sandbox
owner: LinuxProcess
domain_of:
- Process
range: string
session:
name: session
description: The user session under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Session
rank: 1000
alias: session
owner: LinuxProcess
domain_of:
- QueryEvidence
- Actor
- NetworkConnectionInfo
- Process
- SessionQuery
- Authentication
- AuthorizeSession
- TunnelActivity
range: Session
terminated_time:
name: terminated_time
description: The time when the process was terminated.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Terminated Time
rank: 1000
alias: terminated_time
owner: LinuxProcess
domain_of:
- Process
range: TimestampT
tid:
name: tid
description: 'The identifier of the thread associated with the event, as returned
by the
operating system.'
deprecated: '<code>tid</code> is deprecated in favor of <code>ptid</code>. <code>ptid</code>
has type <code>long_t</code> which can accommodate the thread identifiers
returned by all platforms (e.g. 64-bit on MacOS). (since 1.6.0)'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Thread ID
rank: 1000
alias: tid
owner: LinuxProcess
domain_of:
- Process
range: integer
user:
name: user
description: The user under which this process is running.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- User
rank: 1000
alias: user
owner: LinuxProcess
domain_of:
- QueryEvidence
- Actor
- Evidences
- Job
- ManagedEntity
- Process
- UserInventory
- UserQuery
- IamAnalysisFinding
- AccountChange
- Authentication
- AuthorizeSession
- GroupManagement
- UserAccess
- RdpActivity
- TunnelActivity
range: User
recommended: true
working_directory:
name: working_directory
description: The working directory of a process.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Working Directory
rank: 1000
alias: working_directory
owner: LinuxProcess
domain_of:
- Process
range: string
xattributes:
name: xattributes
description: 'An unordered collection of zero or more name/value pairs that represent
a
process extended attribute.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Extended Attributes
rank: 1000
alias: xattributes
owner: LinuxProcess
domain_of:
- File
- Process
range: Object
container:
name: container
annotations:
group:
tag: group
value: context
description: 'The information describing an instance of a container. A container
is a
prepackaged, portable system image that runs isolated on an existing system
using a container runtime like containerd.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Container
rank: 1000
alias: container
owner: LinuxProcess
domain_of:
- Evidences
- ContainerProfile
- CloudResourcesInventoryInfo
range: Container
recommended: true
namespace_pid:
name: namespace_pid
annotations:
group:
tag: group
value: context
description: 'If running under a process namespace (such as in a container), the
process
identifier within that process namespace.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Namespace PID
rank: 1000
alias: namespace_pid
owner: LinuxProcess
domain_of:
- ContainerProfile
range: integer
recommended: true
cmd_line:
name: cmd_line
annotations:
observable_id:
tag: observable_id
value: 13
description: 'The full command line used to launch an application, service, process,
or job.
For example: <code>ssh user@10.0.0.10</code>. If the command line is
unavailable or missing, the empty string <code>''''</code> is to be used.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Command Line
rank: 1000
alias: cmd_line
owner: LinuxProcess
domain_of:
- Job
- ProcessEntity
- WinService
range: string
recommended: true
cpid:
name: cpid
annotations:
ocsf_source:
tag: ocsf_source
value: cpid
description: 'A unique process identifier that can be assigned deterministically
by multiple
system data producers.'
notes:
- 'OCSF Common Process Identifier (CPID) Specification —
https://github.com/ocsf/common-process-id'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://github.com/ocsf/common-process-id
aliases:
- Common Process Identifier
rank: 1000
alias: cpid
owner: LinuxProcess
domain_of:
- ProcessEntity
range: UuidT
recommended: true
created_time:
name: created_time
description: The time when the process was created/started.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Created Time
rank: 1000
alias: created_time
owner: LinuxProcess
domain_of:
- Osint
- RelatedEvent
- Sbom
- Scim
- Session
- Sso
- Token
- Whois
- Resource
- Advisory
- AuthenticationToken
- Certificate
- Cve
- Database
- Databucket
- DigitalSignature
- Enrichment
- Epss
- File
- FindingObject
- FindingInfo
- Job
- KbArticle
- LdapPerson
- ProcessEntity
- Table
- Device
range: TimestampT
recommended: true
name:
name: name
description: 'The friendly name of the process, for example: <code>Notepad++</code>.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: LinuxProcess
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
recommended: true
path:
name: path
description: The process file path.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Path
rank: 1000
alias: path
owner: LinuxProcess
domain_of:
- Url
- AffectedPackage
- File
- HttpCookie
- Image
- Kernel
- Malware
- ProcessEntity
- Product
- RegKey
- RegValue
range: string
pid:
name: pid
annotations:
observable_id:
tag: observable_id
value: 15
description: 'The process identifier, as reported by the operating system. Process
ID (PID)
is a number used by the operating system to uniquely identify an active
process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Process ID
rank: 1000
alias: pid
owner: LinuxProcess
domain_of:
- ProcessEntity
range: integer
recommended: true
uid:
name: uid
description: 'A unique identifier for this process assigned by the producer (tool).
Facilitates correlation of a process event with other events for that process.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: LinuxProcess
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true